npm

os-ulid-void @3.0.2

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-5348

Ecosystem

npm

Summary

The package ships a minified file at dist/payload.js where multiple HTTP POST call sites appear (lines 14503, 14532, 14716, 14834, 15716). The literal evidence captured is only the keyword 'POST' without surrounding context, so the destinations, request bodies, and reachability (install-time vs import-time vs explicit user-call) cannot be determined from the available signals. The package name resembles common ULID utility naming and may be a confusion candidate, but no concrete installer-harm code path (env-var scrape, credential read, hardcoded attacker endpoint, dropper, lifecycle hook tied to an exfil call) has been verified. Manual review of dist/payload.js is recommended to confirm whether the POST sites target attacker-controlled destinations or are part of legitimate API surface.

Source: amazon-inspector (ae1f330082068d43b4ef645b06ce190fb0354367ab0d98edadd3f15c6c99dea1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.