-= Per source details. Do not edit below this line.=-
The package.json postinstall script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns /bin/sh with its stdio piped through the socket. Because npm auto-runs postinstall during npm install, any installer machine that runs npm install vps-maintenance immediately hands an interactive shell to whoever operates that endpoint, yielding arbitrary remote code execution as the installing user. There is no legitimate install-time use for a bare-IP shell bridge — this is a reverse-shell dropper, not a build helper, runtime fetch, or native-addon step. The package name (vps-maintenance) is a cover story; the actual behavior is a backdoor.
{
"malicious-packages-origins": [
{
"versions": [
"0.1.0"
],
"sha256": "110b8556d612185c2c6ea84731898d4f23f04658556e1ff22852f953b956e43a",
"source": "amazon-inspector",
"modified_time": "2026-07-04T13:43:09Z",
"id": "IN-MAL-2026-007956",
"import_time": "2026-07-04T14:34:32.127091288Z"
}
]
}{
"package_integrity": [
{
"filename": "vps-maintenance-0.1.0.tgz",
"hashes": {
"sha512_sri": "sha512-Kwj71je+AYz1+E4g35VVwjStRIL4Xfhk9VqPJ1+yZ3FdKOxCXUpMRAsMJPtRr2/8paaw/v99hrnRMqc1IJsjjg==",
"sha1": "319e70ecd5b71fc690522825093e19cb76ba508d"
}
}
],
"evidence_files": [
{
"sha256": "b62a2df731cc91853abbbf71370868506684d82447d51666fe51cb43bf9e4cec",
"path": "package.json",
"tlsh": "4811ce35caa4cf2321d840e46cb60a17aaa548172255bd1433ca216dc75e2eb18ff39e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vps-maintenance/MAL-2026-6756.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]