@qlab/component-intelligence @2.0.6
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6184
Ecosystem
npm
Summary
package.json declares a preinstall hook ( "preinstall": "node index.js" ) that fires automatically on npm install . index.js requires os, dns, https, querystring, and the package's own package.json, then collects the installer's hostname ( os.hostname() ), username ( os.userInfo().username ), home directory ( os.homedir() ), configured DNS servers ( dns.getServers() ), current working directory, and the full contents of package.json, and POSTs them via HTTPS to the hardcoded webhook https://eo1e4fhn1i67p8r.m.pipedream.net/ . This is the canonical dependency-confusion / recon-beacon shape: host identifiers and internal package metadata leave the machine unconditionally at install time to an attacker-controlled endpoint, giving the attacker reconnaissance data on internal package names, corporate hostnames, and user identities to fuel follow-on supply-chain attacks.
Source: amazon-inspector (9ad49caeee790003270d74c5b17a58d0cef6f04d881efe83b0f6c7e11515e934)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.