@businessapp-microsites/apis @9999.0.2
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC
OSV ID
MAL-2026-6696
Ecosystem
npm
Summary
@businessapp-microsites/apis@9999.0.2 is a dependency-confusion squat against the private scope @businessapp-microsites , published with an implausibly high version (9999.0.2) to outrank any internal registry copy. On npm install , its postinstall.js runs child_process.execSync to collect hostname , whoami , and uname -a / ver , combines this with os.hostname(), os.userInfo(), and CI attribution env vars (GITHUB_REPOSITORY, GITHUB_SHA, RUNNER_NAME, etc.), and sends them via https.get to a hardcoded external callback at poc-trustpilot-npm-1782770591.testingboxes.com. Any org whose internal registry mirrors public npm and resolves this scope will auto-execute the beacon under CI credentials. The package self-labels as a bug-bounty PoC, but the executed code is a full dependency-confusion exfil payload against installers of the squatted scope; cover-story framing does not change the installer-side harm.
Source: amazon-inspector (b70ab5da6865ec94b15097fa84836ab41f39b65a5277974b407c545d8d424c7f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.