@limebike/frontend-core-api @85.14.48
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4187
Ecosystem
npm
Summary
Package squats the @limebike npm scope and ships a preinstall/postinstall hook ( node index.js ) that, on npm install , collects hostname, non-internal network interface addresses, current working directory, directory listings of cwd / /app /../../ /../../../, and the contents of /app/package.json, then POSTs that JSON over plain HTTP to http://poc.khz.bar/install (index.js:46-52). README states 'Claimed by dphoeniixx', a handle associated with dependency-confusion research, but regardless of stated intent every installer whose CI mistakenly resolves the @limebike scope to the public registry leaks internal hostnames, internal network IPs, and the parent project's package.json to an attacker-controlled endpoint at install time.
Source: amazon-inspector (36e6a8b7768f00cc5d468fe7a21f8792da1970b60e5ccbad17eefeda1a8d5b3d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.