oauth-connect @2.0.1
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2024-2779
Ecosystem
npm
Summary
package.json declares a preinstall: node index.js hook that fires automatically on npm install . index.js collects installer-side data — os.hostname() , os.userInfo() , home directory, DNS server configuration, the contents of /etc/passwd and /etc/hosts , and the contents of the consumer's package.json — then HTTPS POSTs the assembled JSON to f3js0y9srl22itqjffo9jbl8mzswgm4b.oastify.com , an attacker-controlled Burp Collaborator subdomain. The package's advertised purpose (an OAuth helper) bears no relationship to reading /etc/passwd or beaconing host identifiers off-machine. This is a reconnaissance / dependency-confusion exfiltration payload that runs unattended on every installer.
Source: amazon-inspector (b49c48193ba50bb4ead1e212925eab8873e7e4ad7fa834d41e7626bb4e5036f3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.