VDB
KO

MAL-2026-10283

Malicious code in another-poc-by-tipsen (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d1bd73ac39644da27df81fcbc6540647d0f13d77419a07997a8ca0a2baa6164e) package.json declares a dependency `safe-chain-test` sourced from a tarball URL on an anonymous Cloudflare tunnel host (`periods-parcel-pittsburgh-upgrading.trycloudflare.com`) rather than the npm registry or a pinned git SHA. On `npm install`, npm fetches and installs whatever bytes that ephemeral, publisher-controlled host serves at the moment of resolution, bypassing registry scanning and integrity pinning. The tunnel operator can change the served bytes at any time, so the installer's dependency graph resolves to arbitrary, unverifiable code executed with the transitive package's install-time and require-time privileges. The package itself is otherwise empty (only package.json and README.md; declared `main` index.js is absent), so the sole effect of installing it is to pull in the tunnel-hosted tarball.

## Source: ghsa-malware (52f519ab22257fd32777887f2f2c2109c13d6be8c4a0d8bb36ea5993e9c837e4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / another-poc-by-tipsen
Introduced in: 0

No fixed version published yet for another-poc-by-tipsen (npm). Pin to a known-safe version or switch to an alternative.

References