sheratan_test_p @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5993
Ecosystem
npm
Summary
On npm install , the package's postinstall.js executes whoami via child_process and POSTs the output (along with stderr, error, and a timestamp) to a hardcoded webhook.site collector URL. The package self-describes as 'A simple date formatting utility' and contains no code matching that purpose; the only behavior on install is the host-identity beacon. Package metadata is consistent with a throwaway exfiltration artifact (placeholder name sheratan_test_p , empty author, generic description). Any developer or CI runner installing this package leaks their user/host context to an attacker-controlled third-party collector.
Source: amazon-inspector (472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.