onboardconnect-agent @1.1.32
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4627
Ecosystem
npm
Summary
The package's dist/setup.js script performs an HTTPS POST to https://oc-worker-tenant-api.wpolanco.workers.dev carrying values read from process.env, with additional fetch/POST sites further down the same file. dist/server.js contains multiple POST sinks and a ping invocation, while dist/crypto.js and dist/store.js wrap repeated Buffer.from(..., 'base64') decoding routines consistent with obfuscated payload handling. The destination is a personal *.workers.dev subdomain (wpolanco.workers.dev) that is not associated with any documented vendor publisher and is the canonical low-effort exfiltration host shape — anonymous, free, attacker-controlled, and trivially registered. No legitimate purpose for an 'onboard connect agent' to ship environment variables to a personal Cloudflare Worker exists; combined with the base64-decoding helpers in adjacent files this matches the data-exfiltration shape directly.
Source: amazon-inspector (9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.