node-vfs-polyfill @2.0.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6143
Ecosystem
npm
Summary
On install, postinstall.js executes automatically and exfiltrates host reconnaissance data to attacker-controlled subdomains on oastify.com (Burp Collaborator), a domain commonly used for out-of-band data exfiltration. The script imports http, https, os, and child_process; calls os.hostname() and execSync() to gather system identifiers; and POSTs the collected data — including hostname, username, and version fields — to hardcoded endpoints such as http://xxxxxxxxx.oastify.com and http://rni4z9qkil62r9dcwosokhtgo7u9i76w.oastify.com. The package name suggests a generic VFS polyfill but the postinstall does no polyfill work; its sole observable effect on npm install is system-info exfiltration. This matches the dependency-confusion / reconnaissance beacon pattern.
Source: amazon-inspector (7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.