@gad360/apothem @1.1.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4391
Ecosystem
npm
Summary
The package's package.json declares a postinstall hook ("postinstall": "node install.js") that runs install.js automatically on npm install. install.js requires fs, os, https, and child_process, reads environment variables and host metadata (process.env, process.platform, process.arch, os.tmpdir, fs.readFileSync), and issues an https.get to the hardcoded endpoint https://ahmedgad.com. The combination of a hardcoded non-publisher destination with environment/system reads inside a lifecycle script is the canonical install-time exfiltration shape. The destination is unrelated to any documented vendor SDK or runtime CDN, and there is no version pinning, hash verification, or build-from-source justification for the network call.
Source: amazon-inspector (4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.