@aonunited/angular @99.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5150
Ecosystem
npm
Summary
On npm install , the package's preinstall script (preinstall.js) collects the installer's hostname, OS username, current working directory, and a timestamp, then sends them to two attacker-style out-of-band endpoints: a DNS lookup of a subdomain under oast.fun (an Interactsh-style callback service) constructed from the installer's identifiers, and an HTTPS POST of a JSON payload to a webhook.site URL. The package itself provides no functionality — it is a high-version (99.0.1) namespace-confusion lure against an internal @aonunited/angular package, designed so that any environment whose resolver picks the public registry copy will auto-execute the beacon. Although the metadata describes this as authorized HackerOne VDP research, the package is published to the public npm registry, so any developer or build system that installs or mistypes it leaks host fingerprints to third-party infrastructure without consent.
Source: amazon-inspector (63dac830216ae445ebe7c5f45534e479d73a23a098ea9fc5740eeded5ebab4c9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.