airkey-mfa-react @36.1.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6991
Ecosystem
npm
Summary
package.json declares a preinstall hook that runs index.js on npm install . index.js collects host and user identity data — hostname, platform, arch, home directory, username/uid/gid/shell, OS info, cwd, plus the output of whoami and id — and POSTs the JSON to a hardcoded Burp Collaborator-style OAST subdomain at s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package ships no library code matching its advertised MFA/React purpose; the install-time beacon is the package's only functional behavior. Empty author/description metadata and the mismatch between the package name and its contents are consistent with a dependency-confusion or namespace-squat placeholder targeting an internal package name.
Source: amazon-inspector (03026bf6133183ffaba772b4b1f585bab0a42ab87823a0a2375a7f1cba08661e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.