@broadpeak/smartlib-ad @24.1.10
Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC
OSV ID
MAL-2026-10178
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , which fires automatically on npm install . index.js loads child_process/os/https, runs whoami and id , collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the @broadpeak scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.
Source: amazon-inspector (45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.