@nstrlabs/sdk @99.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5421
Ecosystem
npm
Summary
On npm install , package.json runs preinstall: node index.js || true , unconditionally executing index.js. The script collects host identity fields (os.hostname(), os.userInfo().username, __dirname, process.cwd(), and the package id), hex-encodes them as DNS labels, and resolves them as a subdomain of an interactsh OOB callback host ( *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live ), then also POSTs the same JSON payload to a bare IP HTTP endpoint at http://172.201.213.59:9090/c . Two independent exfiltration channels (DNS + HTTP) fire on every install, with || true swallowing errors so the exfil is silent. The package is a typosquat / dependency-confusion lure: version 99.0.1 is an unusually high pseudo-version, scope @nstrlabs and metadata ( description: security research , author jeroengui ) are placeholder-shaped, and the package has no other functionality — its sole effect on install is the recon beacon.
Source: amazon-inspector (a0b1375de7b44594cd3760efb91cb94c8c8b7137322f4597114e314ce5e14e45)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.