npm

nam-os-a-man @99.9.9

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-6967

Ecosystem

npm

Summary

The package declares a postinstall hook that runs index.js on npm install. index.js collects the installer's OS username (os.userInfo().username), hostname (os.hostname()), and current working directory, and POSTs them as JSON to a hardcoded webhook.site collector at https://webhook.site/9bbc2089-62c5-46d8-bfaf-f238cc8d0275. Errors are swallowed so the beacon runs silently. The package ships no library functionality (empty description, empty author, no README), the name 'nam-os-a-man' is a fragmented/typosquat-style identifier, and the version is pinned to 99.9.9 — a common dependency-confusion sentinel. The install-time exfiltration of host identity to an attacker-controlled webhook collector is the entire purpose of the package.

Source: amazon-inspector (a483a2ae78f1f6f7d3d4da1ab74cc189f29564e002299f09c19e0d3eb41e40aa)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.