safe-json-38bd @1.0.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6356
Ecosystem
npm
Summary
package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on npm install . run.js imports os, fs, http, https, and child_process and gathers host identity and environment data: os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd(), plus filesystem reads via fs.readFileSync / fs.existsSync. The collected data is base64-encoded (Buffer.from(...).toString('base64')) and POSTed out via HTTP/HTTPS at multiple call sites in the same script. The package name has no documented purpose that would justify install-time host reconnaissance, base64 wrapping, or outbound POSTs. Combined fingerprints (lifecycle-hook auto-execute + host-identity collection + base64 encoding + outbound HTTP POST) match a credential / system-intel exfiltration dropper.
Source: amazon-inspector (523c83ae906ad871cb1ea3ffef4c0ae4e2d9f717376b86e97f6575e47cbc640d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.