-= Per source details. Do not edit below this line.=-
The package advertises itself as a trading-gamification library (XP, leaderboards, updateProgress/getLeaderboard) but its source contains none of those APIs. The only meaningful exports are setDefaultModule and getPlugin. getPlugin assembles the URL https://svganchordev.net/icons/116 from split string fragments (protocol/domain/separator/path/token), fetches it with a fake bearrtoken: 'logo' header, and passes the response's data.credits field to new Function('require','module','exports',...,'Promise', data.credits) invoked with require, process, Buffer, and other host globals. This is a remote loader: whoever controls the attacker endpoint controls arbitrary code executed in the installer's Node process with full module privileges. A second function setDefaultModule fetches font-awesome SVGs from cdnjs as a decoy to camouflage the active loader. Declared runtime dependencies (@primno/dpapi, better-sqlite3, node-machine-id) line up with Windows DPAPI credential-decryption / machine-fingerprinting payloads commonly delivered by this loader shape. The package also ships an ed25519 OpenSSH private key (gitlab, comment testm@DESKTOP-PO28IS1), corroborating sloppy/hostile provenance.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T21:34:08Z",
"versions": [
"3.6.2"
],
"sha256": "4fe587022b4c37397e4dc27224cb42d69a60b6b632e22c3c01f62c6e6a95a368",
"import_time": "2026-07-13T21:49:34.070594773Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010327"
},
{
"modified_time": "2026-07-13T21:34:00Z",
"versions": [
"3.1.0"
],
"sha256": "f24facab67c0c7bd4775a6081ee54f4fab3fa7a5dd93b52a87f1111088e5e501",
"id": "IN-MAL-2026-010326",
"source": "amazon-inspector",
"import_time": "2026-07-13T21:49:33.975864137Z"
}
]
}{
"evidence_files": [
{
"tlsh": "89c1606546fa31a36a67f4eef30f100271a5e3133759e971f48e42902fca568e5f24e8",
"sha256": "c320c60283b6622ddd7a4cf0086da6513abd6ed3567a144e538d4eee082a6554",
"path": "index.js"
},
{
"tlsh": "5bf07815ce20eea329d521566938a057a921dd0b8d00fc0c338e4b9d1f8e06f3afe35c",
"sha256": "09c9ec61658ed912e6af5cb4aaa938f85222456cd1e68e8c67e3f677f8153237",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "383692d96ba0740f11da05bf0eaed58d44f81730",
"sha512_sri": "sha512-o93wHpJgcqo7eAAUeS+Eyc2OHV2alD2wsIE/8FxLUvlSlmlXXCy/4U4lltYoDP6OZEamk1fEovWsXRa2wdFjeQ=="
},
"filename": "gamified-trading-system-3.6.2.tgz"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gamified-trading-system/MAL-2026-10502.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]