myreviews-core @99.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10740
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle hook that runs node -e to issue an HTTPS GET to a hardcoded webhook.site collector URL, appending the installer's hostname ( os.hostname() ), OS username ( os.userInfo().username ), current working directory ( process.cwd() ), and a timestamp as query parameters. The request fires automatically on npm install with no opt-in and no relation to any documented package functionality. The version number (99.0.0) is consistent with a dependency-confusion lure intended to shadow an internal package name and beacon successful installs to the attacker.
Source: amazon-inspector (9c41d5d4352e265f0efbc0089a19c5773ceeb76c0265831eeeeca19151fe4f64)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.