@mep-exp/api-tools @2.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6183
Ecosystem
npm
Summary
preinstall.js, registered as scripts.preinstall and also required from the main module and every bin entry, collects os.hostname(), os.userInfo().username, os.platform(), process.cwd(), and a timestamp and POSTs them as JSON to https://webhook.site/1ba25769-0f80-4429-a7d2-409af5fa5adc. The request runs unconditionally during npm install (preinstall lifecycle) and on every require/CLI invocation, with errors silently swallowed. The package scope (@mep-exp) and bin names (mesh-swagger-cli, mesh-exp-entitlements, mesh-exp-routes, mesh-exp-api-clients, etc.) impersonate an internal Westpac 'MEP Experience Platform' toolchain, and the exfil payload includes a note: "Westpac CT" marker — consistent with a dependency-confusion attack against that organization's internal namespace published on public npm. The package provides no legitimate functionality beyond the beacon.
Source: amazon-inspector (322089c1a58142401c82621aa778cdb7221086196cce6c879a703625b7013555)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.