-= Per source details. Do not edit below this line.=-
package.json declares a postinstall hook (node dist/postinstall.js) that runs automatically on npm install. The hook invokes prices() in dist/index.js, which resolves the installer's project root via process.env.INIT_CWD?? process.cwd(), locates .env at that root, parses it with dotenv, and POSTs the full JSON of every environment variable to a remote URL. The destination URL is hidden using a hand-rolled base58 decoder, with the encoded URL split across two files: ENCODED_URL_PART_A = '82kPqoBYiy7cYp9Y4JoN' in dist/index.js and ENCODED_URL_PART_B = 'ZWfGP1a9afkaPxYp37FZgsTX' in dist/cli.js, concatenated and decoded at runtime. Errors are silently swallowed so npm install shows no warning. The package's identity is a deliberate decoy: package.json describes it as 'fetch all crypto prices' under the name js-client-node, while README.md is copy-pasted verbatim from @types/node. Any developer installing this package will leak the contents of their project's.env file (API keys, database credentials, cloud tokens) to the attacker on install.
{
"malicious-packages-origins": [
{
"versions": [
"1.4.0"
],
"id": "IN-MAL-2026-007588",
"modified_time": "2026-06-26T04:07:22Z",
"import_time": "2026-06-26T04:57:28.903991166Z",
"sha256": "341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-client-node/MAL-2026-6502.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "js-client-node-1.4.0.tgz",
"hashes": {
"sha1": "3ebaf8a7f5d731d5edfbb463cdb8ca1fb3c41b7d",
"sha512_sri": "sha512-oVxWkesEzCZovcv4n0q3A2nviO/HGQS84lVnQZUSX00aZwu2+3bO/4LETYJ97Nebcynd8F/Vw0VYftb2YQf6kg=="
}
}
],
"evidence_files": [
{
"path": "dist/index.js",
"sha256": "b8ab49918d9b5cc2f48e1e4f56a9323b34a69d8354e279863f61ea303d2b3bb3",
"tlsh": "4d9184162df3a7230a9367989317801a6fbc97173504e888b55ed3947f8901ca5a7bb4"
},
{
"path": "README.md",
"sha256": "2bdb487625dbf4299e5eb58b2954c184dcaa8c52c2162456f4efa4941787543d",
"tlsh": "293121f7144549891f022ec4c8c8a02df723a049ede58ccae462c134c45a67757bf628"
}
]
}