@webapp-next/store @91.1.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3749
Ecosystem
npm
Summary
package.json declares "preinstall": "node index.js", which runs automatically on npm install. index.js collects os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release/memory/CPU info, process.cwd(), and the output of shell commands whoami and id , then POSTs the aggregated JSON to https://oia2jeijtfmt053ynp686t5riioac00p.oastify.com/testbydext. The destination is a Burp Suite Collaborator out-of-band interaction subdomain controlled by the attacker. The package has no legitimate functionality — index.js contains only the exfiltration payload, and package.json carries empty author/description fields under a scope (@webapp-next) that resembles a legitimate namespace, consistent with a dependency-confusion lure.
Source: amazon-inspector (cbad3803cdda40845fe2aa64e0963b9293f9ee523b3f9205a354da2ae1e317bf)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.