bug-monorepo @3.1.94
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6349
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , causing index.js to run automatically on npm install . The script collects hostname, username, home directory, DNS servers, and the full package.json, and reads /etc/passwd and /etc/hosts (index.js:18), then HTTPS-POSTs the JSON payload to cp5uzinglyy3ifb8gvvgvq5qvh19p0dp.oastify.com (a Burp Collaborator out-of-band subdomain controlled by the attacker). Empty author/description fields and the generic bug-monorepo name are consistent with a dependency-confusion recon package targeting an internal namespace. Installing this package leaks host identity and sensitive system file contents to an attacker-controlled endpoint.
Source: amazon-inspector (bdac6ea5e7530323f39451c43fc9e4693b30704a5f9e9287018c727a44c36a5d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.