npm

data-utils-d703 @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6112

Ecosystem

npm

Summary

The package declares a postinstall lifecycle hook ("postinstall": "node run.js" in package.json) that executes run.js automatically on install. run.js imports child_process, os, https, and http, calls os.hostname() and os.platform(), and contains multiple POST and GET HTTP request sites. This combination — automatic install-time execution plus host enumeration plus outbound HTTP — is the structural shape of an installer-side exfiltration or dropper, but the specific destinations, payload contents, and execution paths within run.js have not been fully traced, so attacker intent is not confirmed. Manual review of run.js is required to determine whether the network calls target attacker-controlled infrastructure and whether host data is exfiltrated or remote code is fetched and executed.

Source: amazon-inspector (e172168e5ac500d10ae42718a87676ad44a589b31dbeb5f902ea7fb1c4e6a984)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.