MAL-2026-10435
Malicious code in fetchcraft (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c1a40f1af8ba957a18b37ddba0dbe5634112f489841b22208eff421f9a09f786) package.json declares the runtime dependency `node-runtime-utils` as `https://github.com/Hexa-devy/node-runtime-utils/archive/refs/heads/main.tar.gz` — a tarball fetched from the mutable `main` branch of a personal GitHub user's repository, with no commit SHA, tag, or integrity hash pinning. On `npm install fetchcraft`, npm downloads and installs whatever bytes that URL serves at install time, including any lifecycle scripts (preinstall/install/postinstall/prepare) shipped in the fetched tarball. Because the source is a mutable branch under a personal account rather than a registry-published package or a pinned commit, the contents can be swapped at any time without any change to fetchcraft itself, allowing arbitrary code to be executed on the installer's machine. The dependency is not referenced by the package's exported code, giving it no legitimate functional purpose.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for fetchcraft (npm). Pin to a known-safe version or switch to an alternative.