build-scripts-utils @1.1.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4276
Ecosystem
npm
Summary
lib/trap-core.js performs system reconnaissance and network exfiltration. The module imports fs, https, dns, and os, then collects host identifiers (os.hostname(), os.platform(), os.homedir(), process.env.USER, process.cwd()) and POSTs them to hardcoded HTTPS endpoints via https.request/https.get at lines 267, 274, 292, 293, and 346. The combination of system enumeration, environment/identity reads, filesystem inspection (fs.existsSync at lines 26/79/194), and hardcoded outbound POST destinations is the canonical credential/host-beacon exfiltration shape. The package name advertises generic 'build script utilities,' which does not justify host fingerprinting and remote beacons. Installing or loading this package leaks installer host metadata to attacker-controlled infrastructure.
Source: amazon-inspector (a1fe619a6d6c21ceaad6ecacc77e482b9d0b9973fd8fd3ce9bba7296b066a926)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.