@limebike/supreme-data-grid @85.14.48
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4189
Ecosystem
npm
Summary
@limebike/supreme-data-grid occupies the @limebike npm scope (private-looking namespace) with placeholder metadata and a README stating 'Claimed by dphoeniixx'. Both preinstall and postinstall lifecycle hooks invoke index.js, which collects the installer's hostname, all non-internal network interface IPs, current working directory, directory listings of cwd / /app /../../, and the contents of /app/package.json, then POSTs the data as JSON to http://poc.khz.bar/install over plain HTTP. The combination of an internal-scope-impersonating package name plus install-time reconnaissance of host identity, internal IPs, and nearby project metadata is the canonical dependency-confusion attack shape — fires on npm install with no consent, exposing private network topology and project information to an external attacker-controlled host.
Source: amazon-inspector (018193d4f68c2fcaad63da76c3c125ed94d5a6da1efaab85147ff59efafa0b46)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.