dependency_confusions @99.9.9
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-10085
Ecosystem
npm
Summary
package.json declares a postinstall hook that runs index.js on npm install. On execution, index.js collects the installer's OS username (os.userInfo()), hostname (os.hostname()), current working directory, local IPv4 address, and platform (os.platform()), then POSTs the collected fields as JSON to a hardcoded webhook.site endpoint (https://webhook.site/264e1903-28ea-48ea-8c55-be58c5a76791). Fires automatically as a lifecycle hook without user consent, matching the classic dependency-confusion reconnaissance beacon: the exfiltrated username/hostname/cwd/localIP reveal internal build hosts and internal package namespaces that an attacker uses to target follow-on dependency-confusion attacks against the victim's private registry.
Source: amazon-inspector (2c5eab14c78cbbb6e4b580162a242817f899f6529485cb7f9197b6dfe05a3413)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.