-= Per source details. Do not edit below this line.=-
Package advertises itself as a TypeScript/ESLint/Jest toolkit but ships no such tooling. On import, index.js -> run() -> packProjectBundle() walks the project CWD, the user's home directory, and (on Windows) drives C:-J: matching filenames against a wallet/seed/mnemonic/keystore/private-key/credential keyword list (wallet, mnemonic, privatekey, keystore, metamask, ledger, trezor,.env*, config.toml,.pem,.p12,.pfx). collectDevSecrets() additionally scans ~/projects, ~/dev, ~/code, ~/repos, ~/src, ~/work, ~/Desktop, ~/Documents and regex-matches file contents for EVM private keys, Solana key arrays, BIP-39 mnemonics, Hardhat mnemonics, AWS secrets, APISECRET/ACCESSTOKEN values, and npm/GitHub/PyPI tokens; matches are written into 'dev-secrets-scrape.txt'. gatherShellHistory() reads.bashhistory,.zshhistory, fish history, and PowerShell PSReadLine ConsoleHosthistory.txt and shells out via execSync('bash -c history') and execSync("zsh -c 'fc -l -1000'"). gatherClipboardSnapshots() invokes PowerShell Get-Clipboard, pbpaste, wl-paste, and xclip to capture clipboard contents. index.js also base64-decodes '8.8.8.8:80' and opens a UDP socket to learn the outbound interface IP for victim fingerprinting. upload.js multipart-POSTs the collected files, username, and platform metadata to a hardcoded endpoint at https://trabalhos-flax.vercel.app/api/v1 (DEFAULTAPI_BASE). Several destination and pattern strings are base64-encoded at the entrypoint to obscure intent.
{
"malicious-packages-origins": [
{
"versions": [
"29.4.12"
],
"id": "IN-MAL-2026-009743",
"import_time": "2026-07-11T23:49:33.863675982Z",
"modified_time": "2026-07-11T23:21:03Z",
"sha256": "8dc9fa6bfe010d792303258bd713e854e8c218c18762d62b864e8a350d1b473e",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "3bba21021a32cdcfa653be8f1f09a827af8c442780813af584cd555ee2765de0",
"tlsh": "ac82d7c910f972298bf2a3b9db170015fe6b4963d4068399fefc8a842f76110d265dec",
"path": "lib/collect.js"
},
{
"sha256": "17065c14de5160fe0e66ff15f4d717b27637d517b23865fce16683c834dd0773",
"tlsh": "9641e1aeefcc6d0116e45ba83c7c181569f5b22da590d2713934f4822fbd21383b297e",
"path": "lib/config.js"
},
{
"tlsh": "807196457df93631a1f32580ea8f44117588c202350aae067ebc97816f17214bbb3dea",
"sha256": "29dc3344c5bb02d36697ece4e9aceae0dd944a27b1ad2d5946d18bd866e71776",
"path": "index.js"
},
{
"tlsh": "a4f05c32aeb1d46316c819520e7ac06f6670dc1f0748fd1873db152c43ec5b224bd259",
"sha256": "3209af620ce640973cd65c49745af19849007db0a668092e3aa95de3a9af0c54",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "awesome-ts-jest-29.4.12.tgz",
"hashes": {
"sha512_sri": "sha512-HRJyEPHeAcqNxgLN4MsAfFh6o/LZFuIc9sLjDfxJYzZn++OAdcE0EJDSVEe95mWJVWGSkEeP3TptKDtW9bZvDA==",
"sha1": "b49f69619fd5448398dce63819bf937078ce8546"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/awesome-ts-jest/MAL-2026-10188.json"