mds-webcomponents @1.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-919
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , which runs automatically on every npm install . index.js collects os.homedir(), os.hostname(), os.userInfo().username, dns.getServers(), the package name, __dirname, and the full package.json contents, then HTTPS POSTs them as a querystring msg=... parameter to 2mpf1804g4gnfnvuqqx3om0cw32vqlea.oastify.com — a Burp Collaborator (oastify.com) subdomain used as an out-of-band recon/exfiltration channel. The package provides no legitimate functionality; its only on-install effect is to leak installer host identity and project metadata to an attacker-controlled endpoint. This is the canonical dependency-confusion / red-team recon beacon shape.
Source: amazon-inspector (4b33015300fa18b6b3d2c2f1c0af0e77cbd9fa96c7af7befbe61a5422165824e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.