async-pipeline-builder @1.5.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4275
Ecosystem
npm
Summary
The package's lib/trap-core.js bundles host-reconnaissance and outbound HTTP POST behavior in a single module: it requires os, https, fs, and child_process; reads os.hostname() and os.platform(); references ping and curl; assembles JSON payloads keyed by hostname: (lines 393, 411, 553, 600, 1023); and performs multiple POST calls (lines 385, 411, 466, 548, 549). The combination of host fingerprint collection (hostname/platform), child_process execution, and repeated POSTs from the same module matches the active-exfiltration shape rather than any documented benign use, and the file name ( trap-core.js ) is consistent with intentional victim-tracking infrastructure rather than a build/runtime helper. Installing or loading this package risks leaking installer host data and executing attacker-influenced shell commands.
Source: amazon-inspector (3cd513ecfe34affa7e7c2015f944b154bd876833dd0370785af04fb89917d012)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.