fork-angular-daterangepicker @11.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6255
Ecosystem
npm
Summary
package.json declares a preinstall lifecycle hook ( "preinstall": "node index.js" ) that runs index.js on every npm install . index.js line 3 hardcodes https://d8s1eti9io6kqja3sg5gsyqs4aqawhqxg.oast.live/npm-installed and issues an HTTPS GET to that endpoint at install time. oast.live is an Interactsh / OAST collaborator service; the unique per-subdomain identifier lets whoever generated it confirm — out-of-band — which hosts installed the package, capturing the installer's source IP, DNS resolver, and install timestamp. The package self-describes as a "PoC package for dependency confusion testing" and its name impersonates the legitimate angular-daterangepicker package, indicating the beacon's purpose is to verify dependency-confusion hits inside private/internal build environments. Even when framed as a "PoC", running this on a real installer leaks network-position metadata to a third party without consent.
Source: amazon-inspector (d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.