npm

opt-archetype-check @9.99.4

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6075

Ecosystem

npm

Summary

On npm install , the package's postinstall hook executes node index.js , which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over plain HTTP. index.js line 24 hardcodes the callback host ( const CALLBACK_HOST = "109.71.252.153"; ) and line 73 issues the POST to /callback . The file's own header self-identifies as a 'PoC Callback Script — npm Package Takeover'. The package's description ('walmart Application and Middleware Server') and name shape are consistent with dependency-confusion impersonation of internal Walmart tooling — any environment that mistakenly resolves this public package will execute the beacon and leak infrastructure fingerprints to the attacker, providing reconnaissance for follow-on intrusion against the targeted internal namespace.

Source: amazon-inspector (6497b3f44c017bc9ba783cd75e17d4992f79542d8819558da92e152ee4d4471e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.