llm-traces-app @1.0.1
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6371
Ecosystem
npm
Summary
On npm install , the package's preinstall lifecycle hook runs node index.js , which collects host identity ( os.hostname() , os.userInfo() , homedir, DNS servers, cwd) and reads the installer's /etc/passwd and /etc/hosts , then HTTPS POSTs the combined payload to ltiyq4zyhrs88zgp5lef9hbec5i46uuj.oastify.com — a Burp Collaborator (OAST) subdomain controlled by the package publisher. The exfiltration fires automatically on default install with no user interaction. Reading /etc/passwd enumerates the installer's local user accounts; the OAST destination provides the publisher with arbitrary out-of-band data capture. This is a textbook dependency-confusion / supply-chain exfiltration beacon.
Source: amazon-inspector (c0916c8694f396dfa0947df6e3b3d3966839a6e02d4a4f5b84f698787c446bdc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.