infrastructure-common @99.9.9
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10734
Ecosystem
npm
Summary
package.json declares a preinstall lifecycle script that runs node -e to issue an HTTP GET to a Burp Collaborator subdomain at w635fyvrqkfmh9wc9uw8444cp3vujl7a.oastify.com when npm install runs. The callback confirms code execution on the installer's host and leaks the installer's public IP and DNS resolver to a third-party listener. The package name infrastructure-common combined with an implausibly high 99.9.9 version is the canonical dependency-confusion shape, in which a public package is registered to shadow an internal name at install-time resolution.
Source: amazon-inspector (d64169ae87d8d9eaad199be028a70610f025f61e0c947838c05c24a1dd4d5578)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.