data-fetching-client @0.0.1-poc
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6411
Ecosystem
npm
Summary
Package self-identifies in its package.json description as a bug-bounty dependency-confusion proof-of-concept against an internal package name of the same identifier. On install, postinstall.js reads os.hostname() and the current timestamp and prints them to local stdout with a '[hubspot-poc]' marker; no network call is made and no data leaves the host. The harm in this version is limited to demonstrating that the public-registry package would resolve in place of the targeted internal package in a misconfigured build environment. The shape is a namespace-confusion publication: any consumer whose registry resolution is misconfigured would execute the author's postinstall code, and a non-PoC successor version could trivially replace the local log with arbitrary install-time behavior.
Source: amazon-inspector (913d882d66d587abb1d6fe92b8b6d7353c1b4ae79fb175cc3f10b606dd5f8457)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.