encrata-cli @0.2.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4551
Ecosystem
npm
Summary
package.json declares "postinstall": "node install.js" , which runs at install time. install.js requires both child_process and https , branches on process.platform to enumerate host details, and issues an outbound https.get(...) carrying the collected data. This is the canonical install-time system-information exfiltration shape: child_process to spawn host-info commands, platform-gated logic to pick the right binary per OS, and HTTPS egress to ship the result. There is no legitimate reason for a CLI's postinstall to gather host metadata and POST/GET it off-host. Installing this package on any machine (developer laptop, CI runner, build server) discloses host details to a remote endpoint and provides an install-time code-execution surface.
Source: amazon-inspector (e98813f52fa8e9fc3c04bffd023445dbfed4a9b405d1e3f85511673f5e86dce7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.