red-bull-venue-tools @19.2.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2025-5455
Ecosystem
npm
Summary
package.json declares preinstall= node index.js , which fires automatically on npm install . index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), whoami and id shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every npm install of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.
Source: amazon-inspector (3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.