ecto-spirit-win-k4n8 @1.0.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-5691
Ecosystem
npm
Summary
The package ships a postinstall.js that imports child_process and references HTTP GET and hostname operations. Without traced-code corroboration of how these primitives are composed (e.g., whether GET fetches attacker-controlled content that is then executed, or whether hostname is exfiltrated to a remote endpoint), the pattern is consistent with both benign install diagnostics and an exfil/dropper shape. Manual review of postinstall.js is needed to confirm intent before publishing a verdict.
Source: amazon-inspector (8082c12f69dfbb45e83017fa0baf4f88f9500649dd443e80f2d7d4f858020814)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.