insomnia-plugin-poc-m4gester2 @1.0.1
Vulnerability report · Last retrieved from osv.dev June 28, 2026 at 8:53 AM UTC
OSV ID
MAL-2026-6553
Ecosystem
npm
Summary
Package ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs echo PWNED_BY_DEEPLINK > /tmp/pwned.txt on every npm install . This writes a marker file to the installer's filesystem and demonstrates arbitrary command execution at install time. The package name self-identifies as a proof-of-concept ( poc-m4gester ) and adopts the insomnia-plugin-* namespace despite shipping no Insomnia plugin functionality. While the current payload is a benign marker write, the postinstall is an arbitrary-shell-on-install primitive with no legitimate purpose, in a namespace-squat shell of a package.
Source: amazon-inspector (1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.