@catamania/ui-components @1.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3681
Ecosystem
npm
Summary
The package declares a postinstall lifecycle hook ( "postinstall": "node postinstall.js" in package.json) that runs automatically during npm install . postinstall.js (lines 1-22) collects os.hostname() , os.userInfo().username , process.cwd() , and the entire process.env object, JSON-serializes them, and POSTs the payload over HTTPS to attacker.appsec.cc:9999/exfiltrate . On developer workstations and CI runners, process.env routinely contains high-value secrets (NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, CI provider tokens, database URLs). Errors are swallowed silently, a classic exfiltration-stealth technique. The package self-describes as internal UI components, which provides no legitimate justification for reading or transmitting environment variables. This is an unambiguous credential-theft supply-chain attack against the installer.
Source: amazon-inspector (326cc4cf1fbe96c77b6340df59ebea040cdd522e3e4bc76471563190044cf53a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.