npm-rce-safe-proof-yourname @1.0.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10159
Ecosystem
npm
Summary
On npm install , postinstall.js runs whoami , reads os.hostname() , process.platform , and process.version , and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent. The package's declared purpose ( npm script for showing date strings ) and its self-labeling as a 'safe proof' do not match the observed behavior — the code is a functional install-time identity beacon transmitting the installer's username and hostname to an author-controlled destination. Beaconing installer identity to a hardcoded third-party host on install is credential/identity leakage regardless of the 'proof' framing.
Source: amazon-inspector (f9fdedc15d959d978bd3563d29d16c5ab226d3c4fa4ab8b6fecf8bdf130e29ab)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.