-= Per source details. Do not edit below this line.=-
package.json declares the runtime dependency node-runtime-utils as https://github.com/Hexa-devy/node-runtime-utils/archive/refs/heads/main.tar.gz — a tarball fetched from the mutable main branch of a personal GitHub user's repository, with no commit SHA, tag, or integrity hash pinning. On npm install fetchcraft, npm downloads and installs whatever bytes that URL serves at install time, including any lifecycle scripts (preinstall/install/postinstall/prepare) shipped in the fetched tarball. Because the source is a mutable branch under a personal account rather than a registry-published package or a pinned commit, the contents can be swapped at any time without any change to fetchcraft itself, allowing arbitrary code to be executed on the installer's machine. The dependency is not referenced by the package's exported code, giving it no legitimate functional purpose.
{
"malicious-packages-origins": [
{
"sha256": "72eb80237f1255f009a3dd04cff4ec9b6b2c569088f487ab56b6924ce3f721c7",
"id": "IN-MAL-2026-010223",
"modified_time": "2026-07-13T09:24:58Z",
"versions": [
"1.0.1"
],
"import_time": "2026-07-13T10:37:39.114956934Z",
"source": "amazon-inspector"
},
{
"sha256": "c1a40f1af8ba957a18b37ddba0dbe5634112f489841b22208eff421f9a09f786",
"id": "IN-MAL-2026-010221",
"import_time": "2026-07-13T10:37:38.998640141Z",
"modified_time": "2026-07-13T09:24:42Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "29beba789e40ec174bf160d397beeeecaecd2e639cd345875fa5b3c9965021e7",
"tlsh": "1211a631ca511c2342c5a762ae3a0383b6209e170d10bc2cb386013c4f4d16f62fe26c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "fetchcraft-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-RKNTganm49Hm4k69onSat7reEh8OsaiwxXKakgfXLGYuhIktAc8EDkQmPgq6HVBpl2uo4HG4Q+MjlqKq0g1t+w==",
"sha1": "0825e13ad0ce50c2b3ad2fcb397ce9ab2f55da0d"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fetchcraft/MAL-2026-10435.json"