rebrandly-domains-digger @9999.0.0
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 6:55 AM UTC
OSV ID
MAL-2026-6572
Ecosystem
npm
Summary
The package declares a preinstall hook that runs node callback.js . On npm install , callback.js collects installer-side identifiers — os.hostname() , os.userInfo().username , process.cwd() , the configured npm registry, and CI repo-identifying environment variables (e.g. GITHUB_REPOSITORY) — and issues an HTTP GET to http://75.119.137.232:31337/depconfuse?pkg=... carrying those values as query parameters. The version number 9999.0.0 and the /depconfuse path are consistent with a dependency-confusion reconnaissance beacon designed to identify organizations that internally use a package named rebrandly-domains-digger , so the attacker can target follow-on confusion attacks against their private/internal package namespace. The destination is a hardcoded bare IPv4 on a non-standard port over plain HTTP, with no relation to any legitimate publisher infrastructure.
Source: amazon-inspector (4d1744d2a299b9ef0526f49b4b2297fcd6c72581c51a3359801db56318d8cfda)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.