orca-website @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4632
Ecosystem
npm
Summary
On require()/import, index.js collects host identifiers (os.hostname(), os.userInfo().username, os.platform(), os.arch(), process.cwd(), process.pid, timestamp) and sends them as URL query parameters via HTTPS GET to a hardcoded Project Discovery Interactsh out-of-band collaborator at vwfmeddcdgidvdwpkigkg0l8us5vf3wtx.oast.fun. The package's stated name ('orca-website') has no relationship to host telemetry; package.json carries empty author, description, and keywords. Any consumer that imports this package unconditionally leaks installer-side host identification to an attacker-controlled OOB domain typically used for reconnaissance / dependency-confusion probing.
Source: amazon-inspector (c52f7fe46d56cb45880942f5266494a2654d9d330914a6c3c99f02045eacd1dc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.