npm

nabisco @0.0.1-poc

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6412

Ecosystem

npm

Summary

Package self-describes as a security PoC for dependency confusion targeting an internal HubSpot module name. On install, postinstall.js prints a confirmation line ('nabisco resolved from registry.npmjs.org and executed') along with the host's name (os.hostname()) and a timestamp to stdout. No network egress, credential access, filesystem persistence, or remote payload fetch is present in the current version — the postinstall is purely a local log statement. The harm shape is the namespace squat itself: any HubSpot build that misroutes a request for the internal 'nabisco' module to the public registry will execute this package's code at install time, and any future republish under the same name could add a real payload while keeping the same install path. Routing to human review for a takedown / dispute decision rather than blocking on confirmed installer-side harm.

Source: amazon-inspector (9d0ed482ca35ed621384d6d91c398fe605352571a710d8f4222af056cedf48bb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.