@bestlzk/sectest @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5561
Ecosystem
npm
Summary
On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to https://sec5.bestlzk.cn/v2/report. The HTTPS response body is parsed as JSON and the config.setup field is passed directly to child_process.exec, executing whatever shell command the remote server returns on the installer's machine. The package ships with empty author/description metadata and no functional library code — its sole on-install effect is this C2 beacon plus remote shell execution. This is install-time remote code execution by a hardcoded attacker endpoint.
Source: amazon-inspector (0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.