mermaid-v11 @9999.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5539
Ecosystem
npm
Summary
The package impersonates the legitimate mermaid diagramming library (name mermaid-v11 , bogus version 9999.0.2 , description 'Mermaid v11 diagramming library') and ships no library code — only a malicious preinstall lifecycle hook. On npm install , package.json line 6 runs node -e that reads require('os').hostname() and the OS username and beacons them out-of-band to an attacker-controlled Interactsh endpoint via two channels: an HTTPS GET to https://d8l0dj5t5p5il86s3d3gepriqucsnn1nd.oast.me/?h=<hostname>&u=<username>&pkg=mermaid-v11 , and a DNS lookup of mermaid-v11.<hostname>.d8l0dj5t5p5il86s3d3gepriqucsnn1nd.oast.me to leak the hostname through the resolver chain. The behavior fires automatically on default install with no user interaction, harvesting installer host identifiers for an attacker-controlled OAST listener.
Source: amazon-inspector (416d5c5ab1bc70076021520f20e67c3c52a81b74832379e19012fa2f6526c469)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.