delta-time-32bb @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6351
Ecosystem
npm
Summary
Package declares a postinstall hook ("postinstall": "node run.js" in package.json) that executes run.js automatically on npm install. run.js imports os, fs, http, https, and child_process and collects host identifiers and environment data — os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd() — base64-encodes the payload via Buffer.from(...).toString('base64'), and POSTs over http/https. The package has no documented purpose justifying install-time host reconnaissance and outbound network. The shape (lifecycle-triggered collection of host identity + environment + base64 wrapping + HTTP POST) is a credential/host-recon exfiltration beacon executed without user interaction on default install.
Source: amazon-inspector (bcbd5b3b8f7702c8cf59c094e98f078f68563d407235bce1dd0ec6e6522fe03b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.