insomnia-plugin-poc-m4gester @1.0.0
Vulnerability report · Last retrieved from osv.dev June 28, 2026 at 8:53 AM UTC
OSV ID
MAL-2026-6552
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle hook that runs a shell command writing a marker file to /tmp on npm install ( "postinstall": "echo PWNED_BY_DEEPLINK > /tmp/..." ). The package ships no library code, no plugin implementation, and the description field is literally "test" — there is no advertised functionality to justify the install-time shell execution. The package name insomnia-plugin-poc-m4gester further self-identifies as a proof-of-concept exploit targeting the Insomnia REST client plugin namespace. Installing this package results in attacker-chosen shell execution on the installer's machine; the current payload is benign (a marker file write) but the mechanism is arbitrary code execution at install time and could trivially be swapped for a destructive or exfiltrating command in a future version.
Source: amazon-inspector (0eb7024d158c345559d9f130ba3a6b52563328467ec6bb560e196e5c7bc9b955)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.