ohcm-culture-formatting @5.0.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 4:33 PM UTC
OSV ID
MAL-2026-10128
Ecosystem
npm
Summary
ohcm-culture-formatting@5.0.0 declares a preinstall hook ( "preinstall": "node index.js" ) that auto-executes on npm install . index.js uses child_process.exec to run a shell pipeline that reads /etc/passwd , /etc/hosts , /etc/shadow , and id output, base64-encodes the concatenation, and POSTs it via curl to http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/ , embedding the installer's username and hostname in the URL path and the file contents in the User-Agent header. The destination is an Interactsh/OAST out-of-band interaction collector. The package name mimics an internal ADP/Lifion ( ohcm-* ) namespace and the description string is Lifion host , consistent with a dependency-confusion payload targeting that internal namespace.
Source: amazon-inspector (5679f4434881406ce5af055e04a3ab7403158df3404c928a7fbc67596d0e9631)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.