ls-env-config @1.0.5
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:52 PM UTC
OSV ID
MAL-2026-10678
Ecosystem
npm
Summary
Package declares a preinstall script ( node./index.js ) that fires automatically on npm install . The executed index.js issues an HTTP GET to a Burp-Collaborator-style subdomain at 85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01 . This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.
Source: amazon-inspector (db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.