@ts-internal/shared-lib @9.9.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5863
Ecosystem
npm
Summary
The package squats the internal-looking scope @ts-internal/shared-lib on the public npm registry and runs a network beacon both during install (preinstall and postinstall hooks invoke node lifecycle.js ) and on module load (index.js calls require('./beacon').beacon('require') ). beacon.js collects os.hostname() , os.userInfo().username , process.cwd() , os.platform() , and the package name/version, hex-encodes the blob, and transmits it via DNS lookup and HTTPS GET to d8oa6q03t3o2ksbjirogwxiwiyhp6e57o.oast.site (an interactsh OAST collector) and npm-dc-seek-1781572474.testingboxes.com . Any build that misresolves this name to the public registry will silently leak identifying host metadata to two third-party endpoints. The README self-describes the package as a dependency-confusion proof-of-concept, but installers cannot consent and cannot verify researcher authorization; the squat-plus-beacon mechanism is the attack regardless of stated intent.
Source: amazon-inspector (7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.