buffer-wrap-67d7 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6348
Ecosystem
npm
Summary
The package declares a postinstall hook ( "postinstall": "node run.js" ) that executes run.js automatically on npm install . run.js imports os , fs , http , https , and child_process , and collects host and user identity signals including os.hostname() , os.userInfo() , os.platform() , process.env.USER , and process.cwd() , alongside filesystem reads ( fs.existsSync , fs.readFileSync ). Collected data is base64-encoded ( Buffer.from(...).toString('base64') ) and POSTed out via http/https calls (multiple POST sites at run.js lines 131, 339, 346). The composition — automatic lifecycle trigger, system/user reconnaissance, base64 packaging, and outbound POSTs — is the canonical install-time exfiltration shape and produces direct attacker benefit (host fingerprinting and credential-adjacent data leaving the installer's machine).
Source: amazon-inspector (a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.