banana-stand @9.9.11
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4495
Ecosystem
npm
Summary
On npm install , the package's install lifecycle hook runs node index.js , which loads lib/core.js . That module reads os.userInfo().username , os.hostname() , and the basename of process.cwd() , then issues a dns.resolve4 lookup for lwbanana.<username>.<hostname>.<cwd>.<unixtime>.oob.sl4x0.xyz , smuggling host identifiers out-of-band via DNS to an author-controlled domain. The same path also fires on require('banana-stand') because main points at the same entry. Strings used to construct the exfil ( os , dns , userInfo , hostname , cwd , resolve4 , and the destination domain oob.sl4x0.xyz ) are concealed as String.fromCharCode byte arrays in lib/6ad264.js and lib/b02e30.js and decoded at runtime, indicating intentional concealment of the exfiltration channel.
Source: amazon-inspector (ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.