npm

polipoli-pak @1.0.2

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10099

Ecosystem

npm

Summary

On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INIT_CWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL (https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044) that the installer never configured. Second, it walks common project locations under INIT_CWD (index.html, public/index.html, src/index.html, dist/index.html, build/index.html) and rewrites each file via fs.writeFileSync to inject a fixed-position red banner div into the page body. The environment-variable name inventory reveals which credentials are present on the host, and the HTML rewrite silently modifies files the installer owns at install time.

Source: amazon-inspector (a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.