hostile severity cross-file finding.
npm supply chain attack with CI/CD targeting
notable severity cross-file finding.
HTTP client usage markers
notable severity cross-file finding.
Massive string concatenation operations
notable severity cross-file finding.
Shell execution symbols
notable severity cross-file finding.
Shell command execution capability detected
notable severity cross-file finding.
Node gzip or gunzip calls
notable severity cross-file finding.
Script HTTP client markers
notable severity cross-file finding.
Node.js child_process alias spawn
notable severity cross-file finding.
Node.js child_process execution
notable severity cross-file finding.
Node.js child_process module import
Well-known
suspicious severity, 92% confident.
malware/supply-chain
Graphalgo graph or big package family
Objectives
hostile severity, 95% confident.
supply-chain/recon-exfil
npm supply chain attack with CI/CD targeting
suspicious severity, 75% confident.
anti-analysis/timing
JavaScript new Date() comparison
suspicious severity, 80% confident.
anti-static/obfuscation
Computed property access using concatenation
suspicious severity, 82% confident.
anti-static/obfuscation/control-flow
Parameterless constant-return helper padding
suspicious severity, 87% confident.
anti-static/obfuscation/encoding
Hexadecimal control flow obfuscation
suspicious severity, 90% confident.
anti-static/obfuscation/string
Massive string concatenation operations
suspicious severity, 94% confident.
command-and-control/backdoor/tasking
JS execSync command call
suspicious severity, 90% confident.
command-and-control/dns
JVM DNS tunnel label
suspicious severity, 80% confident.
command-and-control/infrastructure/domain
Free/abused top-level domain
suspicious severity, 90% confident.
credential-access/env/secrets
process.env secret-name filter regex
suspicious severity, 90% confident.
execution/autoinstall
Package script npm install package
suspicious severity, 90% confident.
execution/interpreter/eval
Global object assignment (root/self/global)
suspicious severity, 93% confident.
exfiltration/stealer/host-profile
TS collects process and env
suspicious severity, 95% confident.
lateral-movement/pass-the-hash
Node computes NTLM MD4 hash
suspicious severity, 80% confident.
supply-chain/trojanized
Replace dist or build artifacts
suspicious severity, 94% confident.
supply-chain/trojanized/app
Writes or appends to config target
Micro-behaviors
suspicious severity, 90% confident.
crypto/symmetric/xor
Custom XOR decoding loop in JavaScript
suspicious severity, 90% confident.
data/encode/permutation
Nested loops with multiple charAt calls
anti-analysis
suspicious severity, 90% confident.
archive
Archive contains symlink that may escape extraction directory
20 of 110 traits shown
Identity
| SHA-256 | ea026d3101f6cda9c5b7e513683d159f5bc3ab9198f51d427de94f0a4958c581 |
|---|---|
| Canonical SHA-256 | 0018c44a4f4577ed7e94b66d768eab3a822bc96fda9131cfb7e4dea99eb1b9b0 |
| Filename | ahmadalli.vscode-nginx-conf.vsix |
| Package | ahmadalli.vscode-nginx-conf |
| Version | 0.3.5 |
Origin
| Source | forager |
|---|---|
| Feed | marketplace.visualstudio.com |
| Ecosystem | vscode |
| Domain | vsassets.io |
| URL | https://ahmadalli.gallery.vsassets.io/_apis/public/gallery/publisher/ahmadalli/extension/vscode-nginx-conf/latest/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage |
Timeline
| First seen | 1 Jun 2026 10:24 UTC |
|---|---|
| First analyzed | 3 Jun 2026 06:27 UTC |
| Last analyzed | 15 Jun 2026 08:11 UTC |
| Last updated | 15 Jun 2026 08:11 UTC |
Labeling
| Label | good |
|---|---|
| Label source | forager |
| Traits version | 061e3 |
Not seeing what you expected? Let us know