goofy-sdk @9999.0.0
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6997
Ecosystem
npm
Summary
goofy-sdk@9999.0.0 is a dependency-confusion squat: the version is inflated to 9999.0.0 to shadow an internal package of the same name in build systems that resolve unscoped names against the public npm registry. On install, the package's preinstall hook executes callback.js, which reads os.hostname(), os.userInfo().username, process.platform, and process.cwd() and transmits them out-of-band to *.oast.fun (Interactsh OAST callback infrastructure) via a DNS subdomain-encoded lookup and an HTTPS POST. Any build system that mis-resolves the internal name to this public package will silently leak internal host identity to a third-party callback service. Self-declared bug-bounty/research framing does not change the installer-side impact — the harm (unconsented host-identity beacon on install) is the same regardless of motive.
Source: amazon-inspector (779daa3389f4ff3ea7ca2acb4e0202b4465e90fa0d8b7bdcc0e3785f34e454a2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.