reactive-cdk-app @1.0.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4254
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , so installation automatically executes index.js. The script reads /etc/passwd via fs.readFileSync, collects hostname, username, platform, cwd, and home directory from the os module, slices the first 30 entries of process.env (which on CI typically include AWS_*, GITHUB_TOKEN, NPM_TOKEN, and similar credentials), and HTTPS-POSTs the JSON payload to 3nrgzlqwix6erldow0s0kttsojuai36s.oastify.com — a Burp Collaborator out-of-band exfiltration subdomain. The package name and description ('package of the reactive-cdk-app of the aws') impersonate AWS CDK naming, fitting a typosquat-with-payload pattern. Any developer or CI system running npm install reactive-cdk-app leaks host identity, the local user database, and a bulk slice of environment secrets to the attacker.
Source: amazon-inspector (84d7572f96294e867b18a0448ac0e70af3d08769749aa73388b38d88492559e4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.