@outmarket/utils @9.9.11

Summary

package.json declares a postinstall lifecycle script that fires automatically on npm install . The inline node -e payload uses hex-encoded property names ( \x6f\x73 for os , \x68\x6f\x73\x74\x6e\x61\x6d\x65 for hostname , \x75\x73\x65\x72\x49\x6e\x66\x6f for userInfo ) to obscure that it reads os.hostname() and os.userInfo().username , then issues an HTTP GET to http://208.87.128.25:8888/?h=<hostname>&u=<username> . The destination is a bare IPv4 over cleartext HTTP — not a publisher domain or known infrastructure. The package is published under the @outmarket scope with a description identifying it as a dependency-confusion proof-of-concept, but the on-install behavior is indistinguishable from a real dependency-confusion beacon: any installer who resolves this public package in place of an internal @outmarket/utils will leak host identity to the hardcoded endpoint. Hex obfuscation of standard Node API names is evasion, not a legitimate engineering choice.

Source: amazon-inspector (2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0)