skills-detector @2.0.5
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4670
Ecosystem
npm
Summary
On npm install , postinstall.js executes whoami and id via child_process.execSync, collects os.hostname(), os.platform(), current working directory, and the CI / GITHUB_REPOSITORY / NODE_ENV environment variables, and sends them via HTTPS GET to the hardcoded host 0bcdniet6uubfi1lkxgx8qhpcgid65uu.oastify.com (Burp Collaborator out-of-band-exfiltration domain). It also issues a DNS lookup of <whoami>.0bcdniet6uubfi1lkxgx8qhpcgid65uu.oastify.com as a secondary OAST exfiltration channel. The package self-describes as a 'Security research canary' but is published on the public registry and runs unconditionally on any installer's machine, leaking host identity and CI/GitHub repository context to a third party.
Source: amazon-inspector (844190b21455d308d6e2b5305ebe92634d80b55817290a84644a1048df0e54b3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.