fkext-browser-min @1.0.14
Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC
OSV ID
MAL-2026-10183
Ecosystem
npm
Summary
The package runs vishu.js as a preinstall lifecycle hook on npm install . That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form ping-<hostname>.<collaborator>.oastify.com , providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.
Source: amazon-inspector (1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.