npm

nat-ulid @3.0.2

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-5880

Ecosystem

npm

Summary

The package ships a bundled file at dist/node/payload.js containing several POST call sites (around lines 14592, 14621, 14805, 14923, 15805). Pattern matches alone cannot distinguish a legitimate HTTP client library from an exfiltration channel: the destinations may be configurable parameters of an exposed API, documented vendor endpoints, or attacker-controlled hosts. No corroborating behavior such as credential reads, environment scraping, install-time lifecycle execution, or known-bad infrastructure was identified in the available evidence. Routing to human review for semantic verification of the bundle's POST destinations and reachability.

Source: amazon-inspector (ab95c3f95c377215b7cbd4be6d2cdcc79304910b03a2dcdf08f65da6f1c05f4c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.