OSV Malicious Advisory
scanned 1d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6756 confirms this npm version as malicious. The package.json `postinstall` script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns `/bin/sh` with its stdio piped through the socket...
Advisory
MAL-2026-6756
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vps-maintenance (npm)
Details
The package.json `postinstall` script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns `/bin/sh` with its stdio piped through the socket. Because npm auto-runs `postinstall` during `npm install`, any installer machine that runs `npm install vps-maintenance` immediately hands an interactive shell to whoever operates that endpoint, yielding arbitrary remote code execution as the installing user. There is no legitimate install-time use for a bare-IP shell bridge — this is a reverse-shell dropper, not a build helper, runtime fetch, or native-addon step. The package name (`vps-maintenance`) is a cover story; the actual behavior is a backdoor.
Decision reason
OpenSSF Malicious Packages via OSV confirms vps-maintenance@0.1.0 as malicious (MAL-2026-6756): Malicious code in vps-maintenance (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory