@aledan007/tester @0.4.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4360
Ecosystem
npm
Summary
The bundled server file dist/server/index.js contains a hardcoded reference to the attacker-controlled domain https://evil.attacker-example.com adjacent to fetch() and POST primitives, alongside require("child_process") usage. The combination of an explicit external attacker domain wired to outbound POST/fetch calls together with child_process import is the canonical shape of an installer-side exfiltration / remote command execution payload. The destination is not a vendor/publisher domain and has no legitimate purpose; any installer requiring or running this package risks having host data and command output sent to the attacker endpoint.
Source: amazon-inspector (ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.