@aswinsparky/api @1.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4364
Ecosystem
npm
Summary
index.js line 11 issues a fetch() to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a freshly-registered qzz.io subdomain matching the author's npm scope (@aswinsparky), not a documented vendor or publisher infrastructure. There is no configuration option, no user-supplied URL, and no documented purpose that would explain shipping environment-variable contents to this host. Any consumer that imports or invokes this package leaks process environment values — typically containing API keys, tokens, and secrets — to the author-controlled endpoint.
Source: amazon-inspector (8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.