npm

micro-ui-loader @6.0.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10564

Ecosystem

npm

Summary

On npm install , the package's postinstall script (postinstall.js) reads os.hostname() and sends it as a query parameter in a plain-HTTP GET to a hardcoded bare IP: http://37.60.255.218/skybackground.png?display=<hostname> . The response body is piped to downloaded-image.jpg in the package directory, with redirects followed without validation, staging attacker-controlled bytes on disk. The package's advertised purpose is inconsistent across artifacts — README presents it as 'Simple Text Utils' (capitalize/reverse/wordCount), package.json describes an 'image downloader', and the exported API is only downloadImage . The author is the placeholder string 'Your Name'. The combination of an unsolicited installer-identifying beacon to a bare-IP HTTP endpoint at lifecycle time, attacker-controlled byte staging, and a cover-story mismatch is the install-time reconnaissance pattern.

Source: amazon-inspector (be44655a47177f3740201ddb9dc66db080b9f665354c78bcebeb9a2da3b11b7f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.