leviosa86-test @4.999.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-10636
Ecosystem
npm
Summary
leviosa86-test@4.999.0 ships src/poc/index.js which uses child_process.exec to run a shell pipeline that collects host reconnaissance data (hostname, current working directory, whoami, a package identifier) and the public egress IP fetched from https://ifconfig.me, concatenates the values, and exfiltrates them via nslookup as a subdomain label of d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site — an Interactsh (project-discovery) out-of-band callback domain. The generic package name combined with the anomalous 4.999.0 version bump is the canonical dependency-confusion research/attack shape, where a high version number is published to a public registry to override a private internal package and cause the recon payload to fire in the victim's build.
Source: amazon-inspector (46b0bed6337ffe527af2615fed8ae1ecbb449f6a6cb00afa6381f7811ec88956)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.