@klapp-login-platform/routes @99.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5415
Ecosystem
npm
Summary
On npm install , the package's preinstall lifecycle hook executes index.js , which collects the installer's hostname, username, package install path ( __dirname ), current working directory, and package name, serializes them to JSON, hex-encodes the result, and exfiltrates the data through two channels: DNS lookups against subdomains of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an Interactsh out-of-band callback host) and an HTTP POST to the bare IP endpoint http://172.201.213.59:9090/c . The package ships almost no functional code; its purpose is the beacon. The scope @klapp-login-platform paired with an inflated 99.0.2 version and a generic routes name fits the canonical dependency-confusion pattern of publishing a high-version public package to shadow an internal private package of the same name, causing affected build environments to resolve and install this attacker-controlled release.
Source: amazon-inspector (ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.