crosswalker @18.2.1
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2024-2031
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , causing index.js to run automatically on npm install . The script collects hostname, platform, arch, homedir, username, uid/gid, shell, OS info, cwd, and the output of whoami and id , then POSTs the JSON payload to a hardcoded URL at https://kbz9yyzq2mtljdwwf6r0tpzlfcl39txi.oastify.com/detox56 . The destination is a Burp Collaborator subdomain — out-of-band infrastructure used to confirm exfiltration / RCE during dependency-confusion reconnaissance. Installer host and user identifiers leave the machine without consent on every install.
Source: amazon-inspector (b352c9c53fc71d511dae5d0fd8acc4462286092822d70e37dd413593f12bf0d3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.