backpack-ios @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6366
Ecosystem
npm
Summary
package.json declares "preinstall": "node index.js" , causing index.js to execute automatically on npm install . The script collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers, cwd, full package.json) and reads /etc/passwd and /etc/hosts via fs.readFileSync, then HTTPS POSTs the JSON payload to xopalguac3nk3bb10x9r4t6q7hdd13ps.oastify.com — a Burp Collaborator (OAST) subdomain used for out-of-band data exfiltration. The package name mirrors Skyscanner's Backpack iOS design-system package while shipping a ~2KB exfil-only payload with empty author/description fields, consistent with a dependency-confusion / typosquat lure. Installing this package directly leaks installer host identity and local user account data to an attacker-controlled endpoint.
Source: amazon-inspector (25f0d7ea98cef4ddcac8af3b854c37c1a8a3246a13357af60cb36589454657b5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.