int_sezzle_sfra @25.2.1
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 9:56 AM UTC
OSV ID
MAL-2026-6577
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , which fires automatically on npm install . index.js collects host reconnaissance from the installer machine — hostname, OS info, username, uid/gid, shell, home directory, current working directory, and the output of whoami and id shelled out via child_process.exec — and POSTs the resulting JSON to a hardcoded Burp Collaborator OAST subdomain at https://1mopc72u2pqhsphbd3rmzirm9df43wrl.oastify.com/detox56. The package name mirrors the Salesforce Commerce Cloud (SFRA) cartridge naming convention used by Sezzle's internal int_sezzle_sfra integration cartridge; combined with empty author/description/license metadata and the install-time OAST beacon, this matches the canonical dependency-confusion pattern targeting a private vendor cartridge name. Installing this package causes unconsented exfiltration of installer identity and shell-command output to an attacker-controlled callback host.
Source: amazon-inspector (16242285e7dabb5a109f61e97ab52c05ad80ea9b8f326a706c3228268536e80d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.