power-apps @2.0.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4274
Ecosystem
npm
Summary
On npm install , postinstall.js executes whoami , id , and reads os.hostname() , os.platform() , process.cwd() , and CI/GitHub environment variables, then sends the collected data as query-string parameters via HTTPS GET to br6o3tu4m5amvthw08w8o1x0srykmia7.oastify.com (a Burp Collaborator out-of-band callback domain). The script also performs a DNS lookup of <whoami>.<callback-host> as a secondary exfiltration channel. The package name impersonates Microsoft Power Apps and the request path includes /microsft (sic), indicating supply-chain reconnaissance against developers searching for Microsoft Power Apps tooling. Installing this package on a developer workstation or CI runner leaks host identity and pipeline environment metadata to an attacker-controlled collaborator endpoint.
Source: amazon-inspector (f68653eed66e7343973bc919788864990337f7645072d32a9d7465d4bf4ff4e7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.