@su-doughnym/loginui @99.99.99
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC
OSV ID
MAL-2026-6408
Ecosystem
npm
Summary
Package self-identifies as a HubSpot dependency-confusion proof-of-concept and is published at version 99.99.99 — a typical high-version-pin used to win resolution against internal packages of the same name. On install, postinstall.js reads os.hostname(), os.userInfo().username, process.version, PID, and the package name/version, then prints them to stdout. There is no network I/O, no remote fetch, no eval, no filesystem writes outside normal npm behavior, and no credential access. An installer who unintentionally pulls this via a misconfigured registry/scope gets noisy install logs but no data exfiltration or code execution by an attacker. Routing to review because the package is a name-squat against an internal scope and the PoC nature plus the 99.99.99 version pin means future republishes by the same author could swap in real installer-harm behavior.
Source: amazon-inspector (5768349705baa7b448fddb22d17412ce7befdaedd68b2e91a452eb6521e0bc66)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.