npm

myreviews-core @99.0.0

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10740

Ecosystem

npm

Summary

package.json declares a postinstall lifecycle hook that runs node -e to issue an HTTPS GET to a hardcoded webhook.site collector URL, appending the installer's hostname ( os.hostname() ), OS username ( os.userInfo().username ), current working directory ( process.cwd() ), and a timestamp as query parameters. The request fires automatically on npm install with no opt-in and no relation to any documented package functionality. The version number (99.0.0) is consistent with a dependency-confusion lure intended to shadow an internal package name and beacon successful installs to the attacker.

Source: amazon-inspector (9c41d5d4352e265f0efbc0089a19c5773ceeb76c0265831eeeeca19151fe4f64)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.