amdocs-auth-package @115.2.1
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2025-6694
Ecosystem
npm
Summary
Package name mimics an Amdocs internal package (dependency-confusion lure). package.json declares preinstall: node index.js , so npm install auto-executes index.js. index.js collects host reconnaissance via Node's os module and child_process (hostname, platform, arch, homedir, username/uid/gid/shell, OS info, plus output of whoami , id , and pwd ) and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://bet2pv7fumnp3hnz9u5oxggb329txjl8.oastify.com/detox56. No legitimate functionality is present; the sole install-time effect is reconnaissance exfiltration to an attacker-controlled out-of-band callback host.
Source: amazon-inspector (5d16664451db45f3a8b8da108a2b38785d0a7471480df169c57b38bccde640f7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.