bimi-maker @8.2.4
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10579
Ecosystem
npm
Summary
On npm install , the package's preinstall hook runs node index.js , which executes whoami and id via child_process and collects os.hostname() , os.userInfo() , os.platform() , homedir, cwd, and related host identifiers. The collected JSON payload is POSTed over HTTPS to a hardcoded Burp Collaborator subdomain, https://mqgby2y4jlp0k06gbpg1ulgjqaw1ks8h.oastify.com/detox56 . The package ships no legitimate functionality matching its BIMI-related name; the only observable behavior is an install-time reconnaissance beacon to an attacker-controlled OAST endpoint, consistent with dependency-confusion or typosquat probing.
Source: amazon-inspector (4a4e6202887cfa87e6dcff6e37af854445a0e44f38b25ef6d3e40fec06cc8b5f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.