@hkyyy/portal-widget-helper-0601 @1.0.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 10:52 AM UTC
OSV ID
MAL-2026-10648
Ecosystem
npm
Summary
The package has no real functionality — index.js only exports { ok: true } — and its sole effect is to run a postinstall reconnaissance script. package.json declares scripts.install -> node postinstall.js , which on npm install executes whoami , id , hostname , captures cwd and Node version, and prints a PROOF_BEGIN / PROOF_END block to stderr. postinstall.js also contains a fully-formed exfiltration path that issues curl -fsS "${url}" || wget -qO- "${url}" and a dns.lookup(sub,...) call against a DNSLOG_URL constant. The URL is currently the placeholder string 'CHANGE_ME_DNSLOG_URL' , so the network beacon is gated off in this published version, but the host-recon commands fire unconditionally and the exfil channel is one literal-string edit away from active. The package name @hkyyy/portal-widget-helper-0601 (date-suffixed variant of an apparent internal package name) plus the trivial body match the standard dependency-confusion PoC shape: the package exists to be picked up by mistaken namespace/version resolution and to fingerprint the installer's host.
Source: amazon-inspector (f72e27d8bfbf5b9bfefe661d642be934399a38031c1bee028a20ed3282e0f482)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.