fury_frontend-andes-ui @99.9.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-10095
Ecosystem
npm
Summary
The package's postinstall hook auto-executes index.js on npm install . The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.
Source: amazon-inspector (29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.