configcat-trello-powerup @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4535
Ecosystem
npm
Summary
package.json declares "preinstall": "node index.js" , which fires automatically on npm install . index.js collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers) and reads sensitive system files (/etc/passwd, /etc/hosts) plus package metadata, then HTTPS POSTs the bundle to a hardcoded Burp Collaborator subdomain hzklpyrf8gdhgtycz16veroqihobc10q.oastify.com . The package ships no real functionality — empty description, empty author, and a name resembling a plausible internal Trello/ConfigCat integration — fingerprint of a dependency-confusion squat whose only purpose is to beacon installer-side data to the attacker for follow-on targeting.
Source: amazon-inspector (5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.