npm

conversionvaluemanager @3.0.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10084

Ecosystem

npm

Summary

On npm install, postinstall.js automatically runs and gathers installer-identifying data (os.hostname(), os.userInfo(), os.platform(), cwd, Node version, timestamp), then sends it as query-string parameters via plain-HTTP GET to a Burp Collaborator subdomain at aq4v2egelzh9n07h3l9d2b5mvd14pvdk.oastify.com/adjust-dep-confusion. The package.json description self-identifies as a dependency-confusion proof-of-concept ("PoC - Dependency Confusion - Bug Bounty by ha4x0r"), and the package name targets an internal/private package name. Any organization whose build misresolves to this public package leaks host, user, and environment identifiers to the third-party Collaborator endpoint on install. PoC/bug-bounty framing does not change the installer-side impact: the beacon fires on every install.

Source: amazon-inspector (21445a74cc1c4d33c89f1a7d8c357c79d5adb11cda135c813676b23c875418e9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.