metrics-probe-77d4 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5982
Ecosystem
npm
Summary
On install, package.json runs postinstall: node run.js . run.js imports os, fs, http, https, and child_process and at runtime collects host identifiers (os.hostname(), os.platform()) and reads files from the filesystem (fs.existsSync / fs.readFileSync), then issues outbound HTTP/HTTPS requests including POST calls (run.js lines 322, 329) and GET / http.get fetches (lines 38, 190). The postinstall lifecycle hook causes this code to execute automatically on npm install without consumer interaction, exposing installer host information and local file contents to attacker-controlled network destinations. The package name (random suffix -77d4 ) and the absence of any documented purpose are consistent with a disposable exfiltration lure rather than a legitimate library.
Source: amazon-inspector (1d079b30dbb30db1a61acddcd094d2e7e67e7ef466d624e4ad2392edc9d9203e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.