MAL-2026-10728
Malicious code in bvm-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (87ff2c7d903c5594ba5fa2e11d3fe6281380a5f2d010a1a0e3c0679464ab1fca) dist/index.js in bvm-core@1.1.43 imports child_process and issues fetch() calls to the hardcoded host https://bvm-core.nexsail.top at the top of the bundled module, alongside a secondary fetch to registry.npmmirror.com. The combination — a lookalike domain that mirrors the package name on an unrelated TLD, module-load-time network calls, and child_process usage in the same bundle — is the fingerprint of an install/import-time beacon and command execution channel, not a legitimate SDK call. The package name resembles established `bvm` version-manager tooling but the code routes traffic to an author-controlled host on nexsail.top rather than to any documented registry or vendor endpoint.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for bvm-core (npm). Pin to a known-safe version or switch to an alternative.