consumerweb @2200.4.2
Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC
OSV ID
MAL-2026-10181
Ecosystem
npm
Summary
On npm install , both preinstall and postinstall lifecycle hooks execute index.js, which collects host reconnaissance (os.hostname(), os.userInfo().username, os.homedir(), current working directory, DNS servers from dns.getServers(), and package metadata) and exfiltrates it via DNS lookup and an HTTPS POST to a subdomain of oast.fun (interact.sh OAST collaborator). The package name and description ('Internal App bUg b0UntY gollum22 h1') indicate a dependency-confusion attempt targeting an internal package name; any successful install both confirms the internal name is squattable and leaks identifying information about the installer's environment to the attacker's collaborator. No installer opt-in, no legitimate use case for the collected data going to an OAST endpoint.
Source: amazon-inspector (74612bbfc323641d0141b4f1b495d6ea5f9b52129f2391bf21c5fabf63702ca7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.