Mal-ecule
O₇(C₂S₅Ca₃ErDy₂PXe)H₄(F₄CmOs₂Po₄)Md(In)
Found in 1 archive
Objectives
hostile severity, 96% confident.
command-and-control/dropper/execution
Supply-chain dropper via destructured child_process
hostile severity, 95% confident.
supply-chain/recon-exfil
npm package exfiltrates CI/CD info via HTTP
suspicious severity, 94% confident.
command-and-control/infrastructure
Script writes mapping to system hosts file
suspicious severity, 80% confident.
credential-access/env/secrets
.npmrc file reference
suspicious severity, 70% confident.
evasion/hosts-file
Windows hosts file path reference
suspicious severity, 85% confident.
supply-chain/credential-theft
JS uses env HOME for credential access
suspicious severity, 80% confident.
supply-chain/impersonation
Writes to sensitive path
suspicious severity, 96% confident.
supply-chain/install-hook/dropper
Requires then deletes temp JavaScript
notable severity, 84% confident.
credential-access/env
Node reads dotenv credential file contents
notable severity, 90% confident.
credential-access/files
Package registry credential paths
notable severity, 90% confident.
discovery/system/fingerprint
Collects operating system platform
notable severity, 85% confident.
execution/condition
Executes different commands based on OS platform
notable severity, 86% confident.
persistence/system/surface
installer package script hook
Micro-behaviors
suspicious severity, 95% confident.
fs/path/sensitive
NPM registry credentials file
notable severity, 86% confident.
fs/file
Read files (Node.js AST)
notable severity, 85% confident.
os/env/vars
GITHUB_ACTIONS runtime flag
notable severity, 90% confident.
process/create
Detached ignored unref spawn
notable severity, 100% confident.
process/create/shell
Executes shell commands synchronously
notable severity, 80% confident.
process/user
os.userInfo() user query
Metadata
notable severity, 78% confident.
import
require('https') import
20 of 58 traits shown
Objectives
hostile severity, 96% confident.
command-and-control/dropper/execution
Supply-chain dropper via destructured child_process
hostile severity, 95% confident.
supply-chain/recon-exfil
npm package exfiltrates CI/CD info via HTTP
suspicious severity, 94% confident.
command-and-control/infrastructure
Script writes mapping to system hosts file
suspicious severity, 80% confident.
credential-access/env/secrets
.npmrc file reference
suspicious severity, 70% confident.
evasion/hosts-file
Windows hosts file path reference
suspicious severity, 85% confident.
supply-chain/credential-theft
JS uses env HOME for credential access
suspicious severity, 80% confident.
supply-chain/impersonation
Writes to sensitive path
suspicious severity, 96% confident.
supply-chain/install-hook/dropper
Requires then deletes temp JavaScript
notable severity, 84% confident.
credential-access/env
Node reads dotenv credential file contents
notable severity, 90% confident.
credential-access/files
Package registry credential paths
notable severity, 90% confident.
discovery/system/fingerprint
Collects operating system platform
notable severity, 85% confident.
execution/condition
Executes different commands based on OS platform
notable severity, 86% confident.
persistence/system/surface
installer package script hook
Micro-behaviors
suspicious severity, 95% confident.
fs/path/sensitive
NPM registry credentials file
notable severity, 86% confident.
fs/file
Read files (Node.js AST)
notable severity, 85% confident.
os/env/vars
GITHUB_ACTIONS runtime flag
notable severity, 90% confident.
process/create
Detached ignored unref spawn
notable severity, 100% confident.
process/create/shell
Executes shell commands synchronously
notable severity, 80% confident.
process/user
os.userInfo() user query
Metadata
notable severity, 78% confident.
import
require('https') import
20 of 58 traits shown
Identity
| SHA-256 | f7c6bc732dc276b8b11cda85378e416881f65561f550b903e2ad0ba234b3a9d7 |
|---|---|
| Filename | package/scripts/postinstall.js |
Origin
| Source | harvest |
|---|---|
| Feed | osv.dev |
| Ecosystem | javascript |
Timeline
| First seen | 27 May 2026 15:46 UTC |
|---|---|
| First analyzed | 27 May 2026 15:46 UTC |
| Last analyzed | 27 May 2026 15:46 UTC |
| Last updated | 27 May 2026 15:46 UTC |
Labeling
| Label | bad |
|---|---|
| Label source | harvest |
Not seeing what you expected? Let us know