neural-network-scan @1.0.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5794
Ecosystem
npm
Summary
The package ships a collect.js script that imports child_process and performs an HTTP POST carrying host identifiers (hostname referenced multiple times in the same file alongside the POST sink). This pattern — child_process + hostname collection + outbound POST in a non-functional 'scan' utility — matches the host-reconnaissance / data-exfiltration shape used by dependency-confusion and recon-beacon packages. The package name and minimal surface are consistent with a recon lure rather than a useful library. Installing or requiring this package causes installer host data to be sent to an external endpoint.
Source: amazon-inspector (898c75e5a6ae94d115820736ffd2ca4cb948f72655d5c0175a3432cec835768c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.