@outmarket/ui @9.9.9
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6291
Ecosystem
npm
Summary
package.json declares a postinstall script that runs automatically on npm install and performs require('https').get(...) to a Burp Collaborator subdomain ( 7rzjsf29azci2qjsm6kxt23ag1mtanyc.oastify.com ), passing os.hostname() and os.userInfo().username as query parameters. Any developer or build system installing this package leaks host identity to an external attacker-controlled OAST endpoint. The package's own description ( PENTEST-PoC: Dependency confusion - SecurifyAI engagement 2026-06-23 ) and the version 9.9.9 published under the @outmarket scope indicate the package is designed to win resolution against an internal private package of the same name and harvest beacons from anyone in the targeted organization who installs it.
Source: amazon-inspector (7241a2e167db383267fa82ce9660a44f7bcca4b6d4f11bb7ca85eaa6b432a47e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.