shopify-app-bridge-internal @99.9.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5452
Ecosystem
npm
Summary
The package's preinstall lifecycle script in package.json runs unconditionally on npm install and issues an HTTPS GET to https://jnhwbzedabyratvgvgpgo7wtsmhsiw8d4.oast.fun/?host=shopify-<hostname> , where <hostname> is taken from os.hostname() . The oast.fun domain is a public out-of-band interaction service (interactsh) commonly used as a callback collector, so this beacon discloses the installer's machine hostname to a remote third party at install time. The package name shopify-app-bridge-internal (unscoped) with version 99.9.9 and an internal suffix is the canonical dependency-confusion shape against Shopify's official scoped @shopify/app-bridge , designed to be resolved by internal build systems that look up a private dep name against the public registry. Despite the package's self-description as a bug-bounty PoC, the install-time beacon harms any installer that resolves the name.
Source: amazon-inspector (b21c63417fe3a82fd514d0af7c913fb3c1cd62915839dc8910483fb6484bbbd9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.