gpt-chat-cli @1.0.2
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 12:37 PM UTC
OSV ID
MAL-2026-6375
Ecosystem
npm
Summary
collect.js bundles a host-reconnaissance and exfiltration payload. It loads child_process, fs, os, http, and https, reads os.hostname() and os.homedir(), enumerates filesystem paths via fs.existsSync(), and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net (collect.js line 13, POST at line 366). The destination is unrelated to any documented purpose of a 'GPT chat CLI' package and matches the shape of a system-information stealer. Installing this package places attacker-controlled data-collection code into the install tree.
Source: amazon-inspector (e8890af695b137878736a36dae473487015eb1954c494fec0b5a6041f0817832)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.