@cw-ui/micro-ui-loader @2.0.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10557
Ecosystem
npm
Summary
On npm install , postinstall.js reads the installer's hostname via os.hostname() and sends it as a query parameter to a hardcoded bare-IP HTTP endpoint: http://37.60.255.218/skybackground.png?display=${encodeURIComponent(displayProfile)} . The response is saved locally as downloaded-image.jpg as a cover story. The package's README advertises 'Simple Text Utils' for string operations (capitalize/reverse/wordCount), and index.js exports only downloadImage — neither matches the stated purpose. The author field is the placeholder 'Your Name'. The combination of hardcoded bare-IP destination, plain HTTP, install-time auto-execution, host-identifier exfiltration, README/behavior mismatch, and placeholder metadata is a recon beacon shape, not legitimate functionality. Installing this package leaks the host's identifier to an attacker-controlled IP without consent.
Source: amazon-inspector (b558c8d90850ea9817e236b445ba2bc1020a35a81a099a5e1575ef705b00bd39)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.