OSV ID
MAL-2026-6964
Ecosystem
npm
Summary
package.json declares postinstall: node index.js , causing index.js to execute automatically on npm install . The script collects the installer's OS username (os.userInfo().username), current working directory (process.cwd()), hostname (os.hostname()), and non-internal IPv4 address (derived from os.networkInterfaces()), then POSTs them as a JSON body to a hardcoded webhook.site endpoint controlled by the author. The package has no legitimate library functionality — its only file is the beacon, its description is empty, and it declares a self-referential dependency on itself. Installing this package leaks installer host identifiers to an attacker-controlled collector.
Source: amazon-inspector (193f3dbfb6073e7b6c5dacb0e79157ccac9c69ac4c23d2c8270cc23d27cab699)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.