osep-api-hub-service-client-v1 @10.9.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4633
Ecosystem
npm
Summary
package.json declares "preinstall": "node index.js" , causing index.js to run automatically on npm install . index.js collects host identifiers — os.hostname() , os.userInfo() (username/uid/gid/shell), os.homedir() , process.platform , process.arch , process.cwd() — and additionally shells out via child_process to whoami and id . The collected JSON is POSTed to the hardcoded URL https://0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com/detox56 , a Burp Collaborator (oastify.com) subdomain controlled by whoever published the package. The package name mimics an internal-sounding scoped client and ships with empty author/description metadata, consistent with a dependency-confusion attack targeting a private package namespace. Any developer or CI system that installs this package immediately leaks host and user identity to the attacker's Collaborator endpoint.
Source: amazon-inspector (cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.