VYPR

npm · Malicious package advisory

Malware

jest-formatter

MAL-2026-10436

Malicious code in jest-formatter (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (af1f270f7df9ee4f9088044964921e1b085b809ddb1d696e652326c58e5c0aba)
The package jest-formatter@1.0.0 presents itself as a Jest test output formatter but its lib/collect.js imports child_process and invokes execSync with bash and zsh at lines 205 and 221. The 'collect' module name combined with shell execution via multiple shells is consistent with harvesting installer-side data (shell history, credentials, environment) from Unix hosts. The behavior does not match the advertised purpose of formatting test output, and the traced content matched patterns associated with credential/data collection payloads. Concrete shell-exec sinks in a module named 'collect' inside a package with no legitimate need for bash/zsh invocation indicate an active data-collection payload rather than a formatter library.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.