npm

@su-doughnym/hubspot-loginui-poc @99.99.99

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-6407

Ecosystem

npm

Summary

Package is openly labeled a dependency-confusion proof-of-concept and uses a high version number (99.99.99) consistent with that intent. The preinstall and postinstall scripts collect host metadata (os.hostname, os.platform, username, cwd, pid, timestamp) and write it to a local file (.resolution-proof.json) inside the package's own directory. No network I/O, no eval, no remote fetch, no reads of installer secrets (~/.npmrc, ~/.aws/, ~/.ssh/), and no writes outside the package directory occur. As shipped, the package is not installer-harmful — nothing leaves the machine — but the high-version dependency-confusion shape is exactly what a malicious actor would use to shadow a private @su-doughnym/* package in an internal install. Routing to human review so a maintainer can confirm this is a legitimate internal PoC and decide whether the published artifact should remain on the public registry.

Source: amazon-inspector (72fa1e159f93bb8a1336dc48fe329f3a7801ebf56a49620ce67fd013ea8995ae)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.