MAL-2026-10436

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jest-formatter/MAL-2026-10436.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10436
Published
2026-07-13T09:22:35Z
Modified
2026-07-13T10:47:05.780768219Z
Summary
Malicious code in jest-formatter (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (af1f270f7df9ee4f9088044964921e1b085b809ddb1d696e652326c58e5c0aba)

The package jest-formatter@1.0.0 presents itself as a Jest test output formatter but its lib/collect.js imports child_process and invokes execSync with bash and zsh at lines 205 and 221. The 'collect' module name combined with shell execution via multiple shells is consistent with harvesting installer-side data (shell history, credentials, environment) from Unix hosts. The behavior does not match the advertised purpose of formatting test output, and the traced content matched patterns associated with credential/data collection payloads. Concrete shell-exec sinks in a module named 'collect' inside a package with no legitimate need for bash/zsh invocation indicate an active data-collection payload rather than a formatter library.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "af1f270f7df9ee4f9088044964921e1b085b809ddb1d696e652326c58e5c0aba",
            "id": "IN-MAL-2026-010208",
            "import_time": "2026-07-13T10:37:37.841992243Z",
            "modified_time": "2026-07-13T09:22:35Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / jest-formatter

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3bba21021a32cdcfa653be8f1f09a827af8c442780813af584cd555ee2765de0",
            "tlsh": "ac82d7c910f972298bf2a3b9db170015fe6b4963d4068399fefc8a842f76110d265dec",
            "path": "lib/collect.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "jest-formatter-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-9HsDqEL0hYNdDnXfu6/yY8aV35mNKMBmAbJM3E9c9zQ2MD0wfjc3/RWMFRtNMs5xvfiojkWC++ad6e5oPTfB0w==",
                "sha1": "f26e69f6520ad42c28158bc9bfed1d077d8de017"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jest-formatter/MAL-2026-10436.json"