@salem_jalal/osc-components @1981.17.7

Summary

The package's postinstall hook (install.js, wired via package.json scripts.postinstall) runs on every npm install and transmits installer host identifiers — hostname, OS platform/arch, username, current working directory, Node version, npm registry env, and DNS server list — to http://dm-tech.ly:8001/poc-osc/callback over plain HTTP as a URL-encoded query parameter. The main module (index.js) contains an IIFE that, when loaded in a browser context (e.g., bundled into a downstream web app), harvests document.cookie, all localStorage entries, the current URL, and userAgent, and ships them to http://dm-tech.ly:8001/poc-osc/exfil with credentials:'include' . Although published under the personal scope @salem_jalal, the payload self-identifies internally as @dx-ui/osc-components at the same version 1981.17.7 , indicating a dependency-confusion / namespace-impersonation attack against the @dx-ui scope. Console and path strings labeled [PoC] / poc-osc are cover framing; the code runs unconditionally on real installers.

Source: amazon-inspector (cb26651411f61b6420c6291f7b3a7a4869bb670f1d4c75ddfc37481c50f3aae7)