dbt-language-server @1.0.1
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6367
Ecosystem
npm
Summary
package.json declares a preinstall hook ( node index.js ) that runs automatically on npm install . index.js collects installer-side reconnaissance data — hostname, username, home directory, DNS servers, package metadata — and reads the contents of /etc/passwd and /etc/hosts from the installer machine, then POSTs the bundle over HTTPS to p9z268f2xv8co3wtlpujplris9y2msah.oastify.com , a Burp Collaborator subdomain used for out-of-band exfiltration. The package has empty author/description/license fields and ships no functionality beyond this payload. The name dbt-language-server shadows a plausible internal/private package, consistent with a dependency-confusion attack targeting organizations that use a dbt-related internal tool.
Source: amazon-inspector (b15387169de77b4c18baf8c3f4d27156085bd06d96d0a27879545c3f0358dba8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.