itc-actors-api @99.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4589
Ecosystem
npm
Summary
The package contains callback.js which collects host identifiers and user information (os.hostname(), os.userInfo(), os.platform(), cwd) and transmits them via an HTTPS request. The file structures the collected data with fields like hostname, username, and cwd — the canonical reconnaissance-beacon shape used by dependency-confusion / supply-chain reconnaissance campaigns. The package name and 99.0.0 version (a high-version-number pattern typical of dependency-confusion attacks targeting internal package names) further corroborate malicious intent. Installing or loading this package leaks identifying information about the installer's machine to an external endpoint.
Source: amazon-inspector (22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.