npm

estore-client @5.0.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10634

Ecosystem

npm

Summary

package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/d32804ac-1bbb-4100-ab60-95231dd3251c/, sending the installer's OS username ($(whoami)), current working directory ($(pwd)), and hostname ($(hostname)) as query parameters. This fires automatically on npm install before any user code runs. webhook.site is an anonymous request-collector service; the destination is not associated with a legitimate publisher endpoint. The behavior is host reconnaissance / beaconing consistent with a supply-chain recon stage.

Source: amazon-inspector (6f5f2a664c7576b3cbf04696ddff717d8b3e9b835693035fa56a23035edef411)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.