@flipbit2-bb/test-auth-state @0.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4389
Ecosystem
npm
Summary
On npm install , a postinstall script (phone-home.js) collects os.hostname(), os.userInfo().username, process.platform + os.release(), a timestamp, and a package label, then issues an HTTPS GET to https://webhook.site/a536b433-b440-43ec-8399-26059196216e. The package is published under @flipbit2-bb/test-auth-state but the bundled tarball, README, and the phone-home payload's v field all identify as @atlassiansox/cross-flow-support@99.99.99 — a dependency-confusion targeting of Atlassian's internal scope, with version 99.99.99 chosen to win internal-vs-public resolution. Any installer who pulls this package — not just the intended target — leaks host identifiers to the author's webhook.site endpoint. The package has no other functionality.
Source: amazon-inspector (52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.