npm

library-explorer @25.2.1

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10205

Ecosystem

npm

Summary

package.json declares preinstall: node index.js . On npm install , index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out whoami and (non-Windows) id via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.

Source: amazon-inspector (28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.