npm

dependency_confusions @99.9.9

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10085

Ecosystem

npm

Summary

package.json declares a postinstall hook that runs index.js on npm install. On execution, index.js collects the installer's OS username (os.userInfo()), hostname (os.hostname()), current working directory, local IPv4 address, and platform (os.platform()), then POSTs the collected fields as JSON to a hardcoded webhook.site endpoint (https://webhook.site/264e1903-28ea-48ea-8c55-be58c5a76791). Fires automatically as a lifecycle hook without user consent, matching the classic dependency-confusion reconnaissance beacon: the exfiltrated username/hostname/cwd/localIP reveal internal build hosts and internal package namespaces that an attacker uses to target follow-on dependency-confusion attacks against the victim's private registry.

Source: amazon-inspector (2c5eab14c78cbbb6e4b580162a242817f899f6529485cb7f9197b6dfe05a3413)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.