autotel-terminal @29.0.2
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-5186
Ecosystem
npm
Summary
The package's bundled CLI files (dist/cli.cjs and dist/cli.js) contain co-occurring tokens 'ping' and 'POST' that triggered a network/command exfiltration pattern match. These tokens are commonly produced by minified/bundled CLI tooling that includes both shell-spawn helpers and HTTP request helpers, and keyword proximity in a single bundled file is the weakest evidence shape. No traced-code evidence corroborates that these tokens are wired together into an exfiltration path, no install-time lifecycle hook is documented, and no attacker-controlled destination has been identified in the cited evidence. Routing to human review so a reviewer can de-bundle the relevant spans of dist/cli.cjs around line 3260 and dist/cli.js around line 3253 to confirm whether the 'ping' and 'POST' tokens correspond to a benign CLI feature (e.g. health-check + telemetry/upload) or a real exfiltration sink.
Source: amazon-inspector (47ab3c608b6bea332dc57224c5929d54d923655f3bd225ff30e25c3406b8a9a5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.