anthropic-shared-logger @8.0.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4479
Ecosystem
npm
Summary
This package impersonates Anthropic's internal namespace and self-describes as 'Full RCE PoC - Alex Birsan Style'. Its package.json declares a postinstall hook that, on every npm install , fetches the installer's public IP from api.ipify.org, runs id || ver && whoami && hostname via child_process.exec, and POSTs the hostname, current working directory, USERDOMAIN/COMPANY environment variables, IP address, and command output to a hardcoded Interactsh OOB endpoint at lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun over plain HTTP. The combination of namespace impersonation, automatic install-time shell execution, and host reconnaissance exfiltration to attacker-controlled out-of-band infrastructure is a canonical Birsan-style dependency confusion attack. Any build system that mis-resolves this name to the public registry leaks identity and host data to the attacker, enabling targeted follow-on compromise.
Source: amazon-inspector (e54ef50a83e2f379965286ed404d16ca3389a9ce5c8593718ef4e6f307cc6084)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.