-= Per source details. Do not edit below this line.=-
The package's exported getPlugin function fetches JSON from https://svganchordev.net/icons/105 and passes the response's data.credits field to new Function() with require, module, process, Buffer, and other Node globals bound, then invokes it. Any consumer that imports fastify-bundler and calls the advertised API executes attacker-supplied JavaScript with full Node privileges; the remote operator can change the payload at any time. The package's declared dependencies (@primno/dpapi for Windows DPAPI credential decryption, better-sqlite3/sqlite3 for Chromium Login Data and Cookies stores, node-machine-id for host fingerprinting, socket.io-client, axios, request) are injected into the require() available to the remote payload, providing a ready-made toolkit for browser-credential theft and C2. The package identity is also deceptive: it is published as 'fastify-bundler' with a description claiming to be a 'high-performance web framework for Node.js', while the shipped README is titled 'Tailwindcss Forms Bundler' and instructs users to `npm install tailwindcss-forms-bundle' — a name/README mismatch targeting three unrelated popular ecosystems to attract installs.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010361",
"source": "amazon-inspector",
"import_time": "2026-07-14T03:07:05.756424574Z",
"sha256": "b3d824f75a77642b33c2c29524f9decca40c16a12aabe0a2528f3d90deac8720",
"versions": [
"1.4.13"
],
"modified_time": "2026-07-14T02:41:15Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fastify-bundler/MAL-2026-10520.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "fastify-bundler-1.4.13.tgz",
"hashes": {
"sha512_sri": "sha512-22pdXhYJXq0dPwULKe29E0fxLiQTo8+FEjz/AWZ9lfpMR0WJmmxcCYxMCKGfMZSa3BgYYT67ijLwCPq76QZaUg==",
"sha1": "f0a121e58ee11e69d792da8f3bdb92136e08a9e0"
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "ad6c20cc3443d87b559188e0bbeedaee54047ccfd5e798fb938c15c1e778dd8a",
"tlsh": "00c1616546fa21a36a67e4edf30f100271a6e2133758e971f48e42902fca568e5f24e8"
},
{
"path": "package.json",
"sha256": "58f81cf44d62fd20ae760058e0bf0899a0c1bf3768d925ce40736f5045494aea",
"tlsh": "ec012614ce218e7325d92596982d4186a250d94b8e10fc0c33da569d5f4e97f22fe76c"
}
]
}