search-from-search @999.99.99
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6277
Ecosystem
npm
Summary
package.json registers node callback.js as both preinstall and postinstall , so the payload runs automatically on npm install . callback.js collects the full process.env (with an in-source comment explicitly stating no masking), the user/uid/gid/homedir/shell, hostname, platform, cwd, local and external IP (via https://api.ipify.org), and CI environment indicators, then POSTs the JSON payload over plain HTTP to the hardcoded endpoint http://132.243.20.244:8000/api/collect . The outbound request sets User-Agent: dependency-confusion/${PACKAGE_NAME} and the published version 999.99.99 matches the canonical dependency-confusion shape designed to outrank an internal package of the same name. On CI runners this bulk environment harvest typically includes GITHUB_TOKEN, NPM_TOKEN, AWS_* and other build-injected secrets, enabling downstream supply-chain compromise.
Source: amazon-inspector (06e2e600c7cba50d7cc3cbff52a18f77e508ec66be3a50cd4960f84771598548)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.