starship-timeline @1.0.1
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 12:45 AM UTC
OSV ID
MAL-2026-6485
Ecosystem
npm
Summary
starship-timeline@1.0.1 ships no real functionality. Its package.json declares a preinstall hook ( "preinstall": "node index.js" ) that runs automatically on npm install . index.js collects hostname, username, home directory, DNS servers, package metadata, and the contents of /etc/passwd and /etc/hosts , then POSTs the bundle over HTTPS to a hardcoded Burp Collaborator ( *.oastify.com ) subdomain ( 5tziqozihbss8jg955ez91bycpij69uy.oastify.com ). The package has empty author and description fields, a single published version, and no other code paths — the exfiltration beacon is its only purpose, matching the standard dependency-confusion / OOB-beacon pattern. Whether deployed as research or as a live attack, installing the package leaks identifying host data and sensitive system files to an attacker-controlled out-of-band endpoint.
Source: amazon-inspector (8a4e552337fa70064e0a04644ee5a64378809a85b281eda24707bc9a6eba473f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.