VDB
KO

MAL-2026-10079

Malicious code in vybscan-testbed-obfuscated-postinstall (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cf9aee5b150e0606b1c5c2469fdab43496965a3dd5664df288d68d618e326567) package.json declares a postinstall lifecycle script that runs `node -e "eval(Buffer.from('<base64>','base64').toString())"`. Installing the package triggers execution of code that is not visible in the package source and is only materialized at install time by decoding an opaque literal. In this specific version the decoded blob is an inert console.log, but the mechanism — obfuscated-then-eval'd bytes wired into a lifecycle hook — is the canonical install-time remote-code-execution shape and has no legitimate use: it lets whoever controls the package substitute arbitrary code at install without changing readable source. The package's self-description as a testbed fixture does not neutralize the pattern; the same install-time hook would execute whatever bytes were placed in the base64 literal.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vybscan-testbed-obfuscated-postinstall

No fixed version published yet for vybscan-testbed-obfuscated-postinstall (npm). Pin to a known-safe version or switch to an alternative.

References