atlasora-client @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-6238
Ecosystem
npm
Summary
package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and child_process; collects host identifiers via os.hostname() and os.userInfo(); invokes execSync() to gather additional system data; checks for sensitive files via fs.existsSync(); and POSTs the collected data over an https.request() to a hardcoded remote endpoint. This is the canonical install-time system-information exfiltration shape: any developer or CI machine that runs npm install atlasora-client will silently leak host identity, user account info, and reconnaissance data about local filesystem contents to an attacker-controlled destination.
Source: amazon-inspector (fbd4392d81da887d2d7da24519df3a7d9341ee45e1fc091a724c4f5ede766ae5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.