create-docs-mcp @9999.99.99
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5397
Ecosystem
npm
Summary
Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal package names — with a description self-identifying as a name referenced in a private repo. On npm install , postinstall.js POSTs JSON to https://ddactic-lab.online/sc/beacon containing package name/version, Node version, OS, CI detection, and the installer's GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW environment variables when present. A DNS-encoded fallback is also emitted to subdomains of b.ddactic-lab.online to bypass HTTP egress filtering. The package's library entry point is a no-op self-require; its sole functional behavior is the install-time recon beacon. Installer harm: private repository slugs, owner names, and workflow identifiers leak from CI pipelines to an attacker-controlled domain on every install, identifying which organizations are vulnerable to follow-on dependency-confusion attacks against this name.
Source: amazon-inspector (fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.