—

MAL-2026-6120

Malicious code in @caspianph/storyteller (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a) The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers (_0x32549a, _0x4b2b44, _0x78c349, _0x119ac2) typical of payload-hiding techniques. A file named setup.cjs in an npm package is structurally positioned to be invoked from a lifecycle hook (preinstall/install/postinstall) or required at module load. Legitimate npm packages do not obfuscate their install-time code; obfuscation in this position is overwhelmingly used to hide network beacons, credential reads, or dropper logic from casual inspection.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @caspianph/storyteller

No fixed version published yet for @caspianph/storyteller (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@caspianph/storyteller/v/1.1.13 [PACKAGE]