OSV ID
MAL-2026-5880
Ecosystem
npm
Summary
The package ships a bundled file at dist/node/payload.js containing several POST call sites (around lines 14592, 14621, 14805, 14923, 15805). Pattern matches alone cannot distinguish a legitimate HTTP client library from an exfiltration channel: the destinations may be configurable parameters of an exposed API, documented vendor endpoints, or attacker-controlled hosts. No corroborating behavior such as credential reads, environment scraping, install-time lifecycle execution, or known-bad infrastructure was identified in the available evidence. Routing to human review for semantic verification of the bundle's POST destinations and reachability.
Source: amazon-inspector (ab95c3f95c377215b7cbd4be6d2cdcc79304910b03a2dcdf08f65da6f1c05f4c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.