-= Per source details. Do not edit below this line.=-
package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On npm install, npm fetches whatever tarball that URL currently serves and installs it as nodemodules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's nodemodules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.
{
"malicious-packages-origins": [
{
"sha256": "2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a",
"id": "IN-MAL-2026-009592",
"import_time": "2026-07-09T23:30:55.828134674Z",
"modified_time": "2026-07-09T23:02:15Z",
"versions": [
"1.1.4"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "cf9d7cd2d611d5095d17e3dfc39d1c0371f0b1fc4398a48780cf2e4d1ae443c0",
"tlsh": "e4f0fc08ce35e93344c565629937450662349d975c99fe0c37c7061d9fcd56720f459c",
"path": "package.json"
},
{
"sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
"tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "security-node-1.1.4.tgz",
"hashes": {
"sha512_sri": "sha512-1C/3jRlzz/+stUm/0BIw608icP3w/txACn4SI9Hq72RTRKtRs4Kri8IijgMUnClFPye8s5CbDiODhh+yfWCEOw==",
"sha1": "d1e734f01abe4d19bce47dccdfcde5944cf0b0b7"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/security-node/MAL-2026-10107.json"