qa-handoff @0.13.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5571
Ecosystem
npm
Summary
On npm install , the package automatically executes lib/_setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that collects host identifiers (hostname, username, platform, architecture, IPv4 addresses, current working directory, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS POSTs that payload to a hardcoded DingTalk bot webhook (oapi.dingtalk.com/robot/send) using an embedded access token. Before sending, the script checks whether the username or hostname contains any of 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', 'sample' and silently skips the beacon if so — explicit sandbox/analyst evasion that confirms malicious intent. The pattern matches the canonical dependency-confusion reconnaissance beacon used to fingerprint internal CI/build environments for follow-on attacks.
Source: amazon-inspector (4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.