OSV ID
MAL-2026-5612
Ecosystem
npm
Summary
On npm install , postinstall.js runs unconditionally and collects a wide range of installer-side reconnaissance data: hostname and FQDN, contents of /etc/hosts (non-loopback entries, often internal domain controllers and service mappings on corporate machines), Windows Active Directory variables (USERDNSDOMAIN, USERDOMAIN, LOGONSERVER), USERNAME, USERPROFILE, OneDrive folder name (frequently contains the company name), VPN client signals, the configured npm registry URL, and CI repository identifiers (GITHUB_REPOSITORY, CIRCLE_*, CI_PROJECT_PATH, BITBUCKET_REPO_FULL_NAME, BUILD_REPOSITORY_URI, TRAVIS_REPO_SLUG, JENKINS_URL, CI_SERVER_URL). The collected fields are concatenated into a query string and sent via plaintext HTTP GET to http://46.224.67.169:3000/ping. The package's main module is empty ( module.exports = {} ), so the postinstall beacon is the package's only effect, and the README falsely claims No data is collected. This is a classic supply-chain reconnaissance/targeting payload designed to map corporate networks, internal AD topology, and CI/CD environments of installers.
Source: amazon-inspector (8b9bdc5e04979d5b4f73407bcedaecc9df24dbb03e0bfbc0edefe333023dc50c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.