metrics-probe-64b2 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5981
Ecosystem
npm
Summary
package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on every npm install. run.js imports os, fs, http, https, and child_process, reads host identifiers including os.hostname() and os.platform(), reads files from disk via fs.readFileSync, and issues outbound HTTP POST requests carrying that data. The package's stated name ("metrics-probe") with a random hex suffix, combined with an install-time host-fingerprinting beacon and no library functionality, matches the shape of an installer-side reconnaissance / data-exfiltration payload that fires automatically on npm install without any user action.
Source: amazon-inspector (cae901b673ee21724897f69c782eb2808c55c2722bacc9912a4a3e60f7019883)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.