npm

@leviosa86com/leviosa86-test @6.2.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 5:50 AM UTC

Malicious

OSV ID

MAL-2026-10625

Ecosystem

npm

Summary

Package @leviosa86com/leviosa86-test@5.999.0 ships src/poc/index.js which shells out via child_process.exec to collect host identifiers (hostname, pwd, whoami) and the installer's public IP (curl https://ifconfig.me), then concatenates the collected data into a subdomain label and triggers a DNS lookup (nslookup) against a unique subdomain of oast.site (a d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site Interactsh out-of-band interaction server), exfiltrating host recon over DNS to an attacker-controlled OAST endpoint. package.json declares preinstall: node index.js ; a root index.js is not present in the tarball, so the default install may no-op, but the shipped src/poc/index.js payload is unambiguous exfiltration recon and the package name/version shape ( @leviosa86com/leviosa86-test@5.999.0 , a very high version) matches a namespace-squat / dependency-confusion attempt targeting a private @leviosa86com scope.

Source: amazon-inspector (96264a8719e17bd8ec21d47213fe31dec87445e01ff312a1e46af5819e028979)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.