This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Note: This report is updated by a verification record
Malicious package. Collects system info, exfiltrates data to hardcoded IP, runs code during preinstall, and attempts to hide activity.
The package is marked as malware by OSV: MAL-2025-6192 with source: ghsa-malware
Malicious package. Collects system info, exfiltrates data to hardcoded IP, runs code during preinstall, and attempts to hide activity.
-= Per source details. Do not edit below this line.=-
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Note: This report is updated by a verification record
The package paypal-invoicing version 1.0.1 is highly suspicious and likely malicious. The index.js file contains code that collects system information (public IP, hostname, OS details, local IP, username, current directory) and attempts to exfiltrate it to a hardcoded IP address (http://54.173.15.59:8080/jpd.php) via GET and POST requests. It also attempts to exfiltrate data via a WebSocket connection. Furthermore, the package executes node index.js during the preinstall phase, which is unusual and indicative of malicious intent. The code also attempts to suppress logging during the preinstall phase, making detection more difficult. These behaviors strongly suggest that the package is designed to steal sensitive information and potentially compromise the user's system.