insomnia-plugin-poc-m4gester-run @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10493
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle hook that runs calc.exe on the installer's machine during npm install . The main entry point exports only an empty requestHooks array, providing no actual Insomnia plugin functionality — the package's sole effect is the arbitrary command execution at install time. The name self-identifies as a proof-of-concept and mimics the Insomnia plugin naming convention with a leet-substituted variant, indicating the package exists solely to demonstrate/exploit install-time RCE. While calc.exe itself is benign, the postinstall hook establishes full arbitrary-command-execution capability against any developer installing the package on Windows.
Source: amazon-inspector (38a525aea57681df6c21035b723701fa6067f091fd81ac26bb3fcc8e2126c43e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.