npm

babel-preset-lib-client @4.9.11

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10214

Ecosystem

npm

Summary

index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of printenv (base64-encoded), and the base64-encoded output of tree../ , then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.

Source: amazon-inspector (4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.