@civitatis/bot-ui @15.12.11
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6069
Ecosystem
npm
Summary
The package declares "preinstall": "node index.js" in package.json, causing index.js to execute automatically on npm install . index.js requires child_process , os , https , and http , then collects host and user identity — whoami , id , os.hostname() , process.platform , architecture, homedir, os.userInfo() (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56 (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the bot-ui name — and the @civitatis scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker.
Source: amazon-inspector (e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.