npm

ls-env-config @1.0.5

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:52 PM UTC

Malicious

OSV ID

MAL-2026-10678

Ecosystem

npm

Summary

Package declares a preinstall script ( node./index.js ) that fires automatically on npm install . The executed index.js issues an HTTP GET to a Burp-Collaborator-style subdomain at 85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01 . This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.

Source: amazon-inspector (db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.