npm

infrastructure-common @99.9.9

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10734

Ecosystem

npm

Summary

package.json declares a preinstall lifecycle script that runs node -e to issue an HTTP GET to a Burp Collaborator subdomain at w635fyvrqkfmh9wc9uw8444cp3vujl7a.oastify.com when npm install runs. The callback confirms code execution on the installer's host and leaks the installer's public IP and DNS resolver to a third-party listener. The package name infrastructure-common combined with an implausibly high 99.9.9 version is the canonical dependency-confusion shape, in which a public package is registered to shadow an internal name at install-time resolution.

Source: amazon-inspector (d64169ae87d8d9eaad199be028a70610f025f61e0c947838c05c24a1dd4d5578)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.