pewter-constants @9999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4637
Ecosystem
npm
Summary
On npm install , a preinstall hook in callback.js collects os.hostname(), os.userInfo().username, process.cwd(), the configured npm registry ( npm_config_registry ), and CI repo identifiers (GITHUB_REPOSITORY, CI_PROJECT_PATH, BUILD_REPOSITORY_NAME) and HTTP-GETs them to http://75.119.137.232:31337/depconfuse . The package is shaped as a dependency-confusion squat: version 9999.0.0 to win semver resolution against an internal package of the same name, an empty index.js ( module.exports = {} ), and placeholder author/description metadata ( Security Researcher , Security research placeholder ). Any build that resolves pewter-constants from the public registry will install this package and silently leak its internal registry URL, CI repo path, and host/user identity to a third-party operator over plain HTTP. The 'security research' framing in the metadata does not change the installer-side impact — internal infrastructure is fingerprinted and disclosed without consent.
Source: amazon-inspector (3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.