connectedmerchantsserv @9.9.11
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10459
Ecosystem
npm
Summary
The package's scripts.install lifecycle hook runs node index.js , which loads lib/core.js . That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of oob.sl4x0.xyz prefixed with paypal2 and issues dns.resolve4 queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS server. The Node API names ( os , dns , userInfo , username , hostname , cwd ) and the destination domain are hidden as char-code numeric arrays reconstructed via String.fromCharCode in lib/b02e30.js and lib/6ad264.js to evade static inspection. The package is presented as generic 'enterprise utilities' but ships no functionality matching that description.
Source: amazon-inspector (834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.