smb-common-uikit @15.2.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10615
Ecosystem
npm
Summary
package.json declares a preinstall hook that runs index.js. On npm install, index.js collects host reconnaissance from the installer (os.hostname(), os.userInfo(), os.platform(), os.arch(), homedir, uid/gid, shell, plus the output of whoami , id , and cwd via child_process) and POSTs the resulting JSON to the hardcoded URL https://rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com/detox56. oastify.com is a Burp Suite Collaborator out-of-band interaction domain, and the unique random subdomain plus install-time host beacon is the canonical dependency-confusion / reconnaissance exfiltration shape.
Source: amazon-inspector (66072ca2fc20c19a01d0a2b888d90632a7d9bfdc34a2d1a71b61ad06975eae5c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.