@carvana.authentication-flows/shared @19.2.1
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 6:49 PM UTC
OSV ID
MAL-2026-6521
Ecosystem
npm
Summary
package.json declares a preinstall hook ( node index.js ) that runs unconditionally on npm install . index.js imports child_process/os/https, collects host identifiers (os.hostname, os.userInfo, platform, arch, homedir, cwd) and shells out to whoami / id , then POSTs the collected JSON to a hardcoded Burp Collaborator subdomain at https://pleq9pugrugzr4zgyymazmnq0h68u4it.oastify.com/detox56. The package name also impersonates the Carvana org by using a . in the scope ( @carvana.authentication-flows/shared ), making carvana.authentication-flows a fake top-level npm scope rather than a Carvana-owned namespace. There is no legitimate functionality shipped; the package's sole effect on install is reconnaissance exfiltration to an attacker-controlled out-of-band server.
Source: amazon-inspector (78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.