@muaththir/api @2.0.0
Vulnerability report · Last retrieved from osv.dev June 27, 2026 at 12:51 AM UTC
OSV ID
MAL-2026-6328
Ecosystem
npm
Summary
On npm install , the package's preinstall lifecycle hook runs node index.js , which collects host identifiers ( os.userInfo().username , process.cwd() , Node version, process.platform , architecture) and POSTs them via https.request to the hardcoded endpoint https://avamnrwqo7.rbmock.dev/api (an rbmock.dev mock-server host). The preinstall command suppresses all output by redirecting to /dev/null 2>&1 , hiding the beacon from the installer. The package author is a placeholder identity and the package description is empty, consistent with a beacon/PoC rather than a legitimate library. Installing this package causes silent leakage of installer username, working directory, and host metadata to a third-party endpoint.
Source: amazon-inspector (66954b91179d60bfbf1c18e8ed8ed9e6b12ab7b13bc6ab2a4174c3bf063c2c0a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.