afterpay-sdk-example-server @20.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2023-1111
Ecosystem
npm
Summary
package.json declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js requires os/fs/https, then collects host identifiers and installer-side files — __dirname, os.homedir(), os.hostname(), os.userInfo(), DNS servers, the full contents of /etc/passwd and /etc/hosts, and the package.json — and POSTs them over HTTPS to xqrangwae3pk5bd12xbr6t8q9hfc32rr.oastify.com (a Burp Collaborator OAST subdomain). The package name 'afterpay-sdk-example-server' impersonates an internal Afterpay SDK example, consistent with a dependency-confusion payload targeting Afterpay's internal build systems. Whether published as research or attack, any installer running npm install leaks system account data and host fingerprints to an attacker-controlled out-of-band collection endpoint.
Source: amazon-inspector (a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.