searchresults @999.0.0
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-7003
Ecosystem
npm
Summary
searchresults@999.0.0 is a high-version dependency-confusion squat on the generic name 'searchresults'. package.json declares preinstall and postinstall = 'node callback.js', so on npm install callback.js executes automatically and collects installer identity (username, uid/gid, homedir, shell, os.hostname(), platform, cwd, local IP, external IP fetched from api.ipify.org) plus CI context (GITHUB_REPOSITORY, GITHUB_ACTOR, JENKINS_URL, BUILD_NUMBER) and POSTs it to a hardcoded Discord webhook and a callback URL. It additionally fingerprints which installers hold monetizable CI credentials by probing for presence of AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, and DOCKER_PASSWORD in the environment and reporting the result to the same webhook. A DNS-based fallback channel base64-encodes the collected info and issues a DNS lookup of that value as a subdomain of the callback host, bypassing HTTP egress filtering. The 999.0.0 version and generic name are engineered to win npm semver resolution against internally-named private packages, giving install-time code execution on arbitrary organizations. Self-labeling as 'security research PoC' does not constitute installer consent.
Source: amazon-inspector (c7d5453a0b1576ed8880071cda901607e79f25378700d3f999ab2c9715e00635)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.