guest-app-ui @99.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-10096
Ecosystem
npm
Summary
Package publishes as version 99.0.0 under a name presented in its README as an unclaimed internal name, positioning it to win dependency-confusion resolution against private registries. Both preinstall and postinstall lifecycle hooks in package.json execute callback.js, which collects installer host identifiers (os.hostname(), process.env.USER, process.cwd(), __dirname, platform/release, internal IPv4 addresses, and process.env.npm_config_registry), base64url-encodes the payload, and transmits it over three redundant channels to the hardcoded host 4li9yfz7.instances.httpworkbench.com: a DNS lookup/resolve4 with the payload as a subdomain label, an HTTP POST, and an HTTPS POST with TLS verification disabled (rejectUnauthorized: false). Any organization that has a private package by this name and lacks a scope/registry pin will pull this public artifact on npm install and beacon host fingerprint data to the external interaction host. The self-labeling as an authorized research PoC does not gate the behavior — every installer of this name is fingerprinted unconditionally.
Source: amazon-inspector (5244faa59fb08eaa6dec10250fe2218a4909cb06ecc6ac972fda38b144f2aaef)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.