morningstar-design-system @99.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 12:29 AM UTC
OSV ID
MAL-2026-5449
Ecosystem
npm
Summary
On npm install , the package's preinstall lifecycle script runs wget against a hardcoded bare-IP HTTP endpoint, passing the output of id , pwd , hostname , and ip a as URL query parameters. This leaks the installing user's username/UID/GID, working directory, hostname, and full network interface configuration to an attacker-controlled host automatically, before any other code runs. The package name targets Morningstar's organizational namespace and is published at an absurd 99.0.1 version — the canonical dependency-confusion shape designed to override an internal package of the same name. README self-identifies as a dependency-confusion PoC. Whether labeled research or not, the published artifact actively exfiltrates installer data to a third-party IP and is unsafe to install in any environment.
Source: amazon-inspector (18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.