create-vercel-integration @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5894
Ecosystem
npm
Summary
Package name mimics Vercel's official create-* initializer convention (e.g. create-next-app ), targeting developers who mistype or guess the initializer name and invoke npx create-vercel-integration . The bin script ( bin/run.js ) hardcodes a callback URL https://deepbounty.dd06-dev.fr/cb/f7506d76-f300-4c91-a105-41c07ad317fc and, on invocation, reads the INIT_CWD environment variable, extracts its basename, and POSTs {pkg, timestamp, transport, project} to that author-controlled endpoint. The package self-describes as a 'Bug Bounty PoC,' but it is published on the public npm registry under a name shaped like an official Vercel scaffold and silently leaks the installer's project directory name to a third party with no disclosure or opt-out. The package provides no legitimate Vercel-integration scaffolding functionality; the bin's only effect is the beacon.
Source: amazon-inspector (aeaea6bab6360c38ed5a7de7065eb04d0ac489bb3670b68defc8bc26874d3d62)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.