insomnia-test-util-m4gester @1.0.1
Vulnerability report · Last retrieved from osv.dev June 28, 2026 at 8:53 AM UTC
OSV ID
MAL-2026-6554
Ecosystem
npm
Summary
Package ships no functional code and exists solely to execute a shell command on npm install . The postinstall lifecycle hook runs echo PWNED_BY_DEEPLINK > /tmp/pwned.txt , dropping a marker file at /tmp/pwned.txt on the installer's machine. The self-identifying marker string ( PWNED_BY_DEEPLINK ) confirms the package's only purpose is to demonstrate arbitrary install-time code execution against installers. The package name mimics the Insomnia (Kong) HTTP-client ecosystem naming convention while the publishing handle is unrelated, consistent with a lure/PoC namespace-abuse shape. Although the present payload is a benign marker write, the install-time arbitrary-command-execution primitive is fully wired and would execute any command the maintainer publishes in a future version.
Source: amazon-inspector (3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.