paypal-postman-lib @2.0.9
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2025-47594
Ecosystem
npm
Summary
The package's index.js imports os, fs, and https at the top level and reads os.hostname() and os.userInfo() before sending the collected host identity over an outbound HTTPS request. The package name impersonates PayPal/Postman branding while shipping no legitimate library functionality, and the only observable behavior is collection and transmission of installer host data. Installing or requiring this package causes the installer's hostname and OS user identity to be sent to a third-party endpoint.
Source: amazon-inspector (c2b733a611e3d27e56f4c6ee549bbcf3d88a1c823512c13797440c4c13f2712c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.