VDB
KO

MAL-2026-10728

Malicious code in bvm-core (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (87ff2c7d903c5594ba5fa2e11d3fe6281380a5f2d010a1a0e3c0679464ab1fca) dist/index.js in bvm-core@1.1.43 imports child_process and issues fetch() calls to the hardcoded host https://bvm-core.nexsail.top at the top of the bundled module, alongside a secondary fetch to registry.npmmirror.com. The combination — a lookalike domain that mirrors the package name on an unrelated TLD, module-load-time network calls, and child_process usage in the same bundle — is the fingerprint of an install/import-time beacon and command execution channel, not a legitimate SDK call. The package name resembles established `bvm` version-manager tooling but the code routes traffic to an author-controlled host on nexsail.top rather than to any documented registry or vendor endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / bvm-core

No fixed version published yet for bvm-core (npm). Pin to a known-safe version or switch to an alternative.

References