npm

elsisi-cli @9.9.9

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 9:54 PM UTC

Malicious

OSV ID

MAL-2026-10551

Ecosystem

npm

Summary

package.json declares preinstall and postinstall lifecycle scripts that invoke wget against https://webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/, passing the installer's current working directory and hostname as query-string parameters ($(pwd), $(hostname)). Both beacons fire automatically on npm install . The tarball ships only package.json (371 bytes); the declared main entry index.js is absent and no source, README, or functionality accompanies the lifecycle hooks, so the package's only effect on install is the outbound beacon to the attacker-controlled webhook.site collector.

Source: amazon-inspector (4deec3de3ca46a57023580a81da870e3ce444a691ad6f42f5217abe206ef448a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.