npm

ecto-spirit-win-k4n8 @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-5691

Ecosystem

npm

Summary

The package ships a postinstall.js that imports child_process and references HTTP GET and hostname operations. Without traced-code corroboration of how these primitives are composed (e.g., whether GET fetches attacker-controlled content that is then executed, or whether hostname is exfiltrated to a remote endpoint), the pattern is consistent with both benign install diagnostics and an exfil/dropper shape. Manual review of postinstall.js is needed to confirm intent before publishing a verdict.

Source: amazon-inspector (8082c12f69dfbb45e83017fa0baf4f88f9500649dd443e80f2d7d4f858020814)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.