npm-sandbox-ping-c8f2a @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5757
Ecosystem
npm
Summary
Package declares a postinstall hook ( "postinstall": "node run.js" in package.json) that executes on every install. Bundled scripts beacon6.js and beacon_linux.js use require('child_process') to gather host identity ( whoami , os.hostname() , os.platform() ) and POST the collected data to a remote HTTP endpoint via http.request(...) . The package name npm-sandbox-ping-c8f2a and the beacon-style file naming together with no legitimate library functionality indicate the install-time goal is host fingerprinting / callback to an attacker-controlled destination, not any documented purpose. Installing this package automatically transmits installer machine identity off-host.
Source: amazon-inspector (f5401a81d56283c310efebfe29af19c3e3fa331667f40adeed71a54627adc877)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.