npm

bugexploit @99.9.9

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10201

Ecosystem

npm

Summary

package.json declares a postinstall script that runs node index.js . On npm install , index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.

Source: amazon-inspector (745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.