npm

data-fetching-client @0.0.1-poc

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6411

Ecosystem

npm

Summary

Package self-identifies in its package.json description as a bug-bounty dependency-confusion proof-of-concept against an internal package name of the same identifier. On install, postinstall.js reads os.hostname() and the current timestamp and prints them to local stdout with a '[hubspot-poc]' marker; no network call is made and no data leaves the host. The harm in this version is limited to demonstrating that the public-registry package would resolve in place of the targeted internal package in a misconfigured build environment. The shape is a namespace-confusion publication: any consumer whose registry resolution is misconfigured would execute the author's postinstall code, and a non-PoC successor version could trivially replace the local log with arbitrary install-time behavior.

Source: amazon-inspector (913d882d66d587abb1d6fe92b8b6d7353c1b4ae79fb175cc3f10b606dd5f8457)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.