discovery-build @1.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4266
Ecosystem
npm
Summary
package.json declares scripts.postinstall=node postinstall.js, which executes unconditionally on npm install . The script collects host identifiers (os.hostname(), os.platform(), username, cwd), reads /etc/passwd via fs.readFileSync('/etc/passwd','utf8'), and bulk-enumerates the installer's environment variables (Object.entries(process.env).slice(0, 30)) — capturing whatever CI tokens, AWS credentials, npm tokens, or other secrets happen to be in scope. The collected data is POSTed as JSON over HTTPS to bl0oxto4g54mptbwu8q8i1r0mrsjgg45.oastify.com, a Burp Collaborator out-of-band testing subdomain controlled by whoever generated the payload. The package's self-description as a 'security research canary' does not change installer-side impact: any developer or CI pipeline that installs this package leaks host identity, /etc/passwd, and a slice of environment secrets to an external host without consent.
Source: amazon-inspector (c24a1e59b8c5d3ae1059499825bf47d1abe8d362ddefe264f1a429ed9e7e98cc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.