ppt-creator @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6355
Ecosystem
npm
Summary
On npm install , package.json's preinstall hook runs index.js, which collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, the package's own package.json) and reads the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to a Burp Collaborator subdomain at 3z3l99x7vp8us6lzqm575hfh58bzzqnf.oastify.com. The package has no documented purpose and no library functionality — its only effect on installers is the exfiltration beacon. Any developer or CI system that runs npm install ppt-creator leaks user-account enumeration data and host fingerprints to the attacker-controlled collaborator endpoint.
Source: amazon-inspector (8040bc58597dee52581beb232688c85302554af0af5726abc15c56a21ac69f2c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.