kraken-ui @999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5399
Ecosystem
npm
Summary
On require/load, index.js imports os, dns, https, querystring, and the local package.json, then collects os.hostname(), os.userInfo().username, os.homedir(), __dirname (install path), dns.getServers(), and the full package.json contents, and HTTPS POSTs the JSON payload to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com (a Burp Collaborator OAST subdomain). The version 999.0.0 plus self-described 'dependency confusion proof of concept' is the canonical dependency-confusion attack shape: it is published to the public registry to override an internal package of the same name. Any installer or build system whose resolver picks up this version leaks identifying host/user info and internal DNS topology to an attacker-controlled out-of-band server. Behavior fires automatically when the module's main entry is loaded.
Source: amazon-inspector (168f5bafda658807ea431a8cb06a1e3006d639d17b7f0c97d3d63e34f49129d5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.