atlasora-config @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6239
Ecosystem
npm
Summary
The package declares a postinstall hook in package.json ("postinstall": "node install.js") that auto-executes install.js on every npm install. install.js imports https, fs, os, and child_process; collects host identity via os.hostname() and os.userInfo() (line 16, 18); reads filesystem state with fs.existsSync (lines 53, 62, 83); shells out via execSync (line 77); and POSTs the collected data over an https.request to a remote endpoint (lines 96, 104, 113). The combination of host/user identity collection, filesystem probing, command execution, and outbound HTTPS POST inside a postinstall script is the canonical install-time exfiltration shape. Installing the package causes the installer's machine identity and environment data to be transmitted to a remote endpoint without consent.
Source: amazon-inspector (f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.