screenpipe-mcp-http @9999.99.99
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 12:29 AM UTC
OSV ID
MAL-2026-5402
Ecosystem
npm
Summary
screenpipe-mcp-http@9999.99.99 is a dependency-confusion lure that beacons installer-identifying data to an attacker-controlled domain on npm install. The package.json declares an absurdly high version (9999.99.99) with description 'npm 404 error referenced in screenpipe/screenpipe', the canonical shape of a dependency-confusion claim against an unregistered name referenced by an upstream project. A postinstall hook (postinstall.js) POSTs a JSON body to https://ddactic-lab.online/sc/beacon containing the npm package name/version, Node version, OS, CI detection flag, and GitHub Actions metadata (GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, GITHUB_WORKFLOW). To bypass corporate HTTP egress filters, the same data is also encoded into a subdomain of b.ddactic-lab.online and exfiltrated via DNS lookup. index.js further recursively requires its own name ( module.exports = require('screenpipe-mcp-http') ), so any internal upstream reference that resolves through npm pulls this attacker-controlled package.
Source: amazon-inspector (28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.