testing-on-npmjs @2.0.6
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4356
Ecosystem
npm
Summary
On npm install , postinstall.js executes two attacker-controlled actions automatically. First, it collects installer-side identity ( whoami , id , os.hostname() , os.platform() , current working directory) and CI-related environment variables (CI, GITHUB_REPOSITORY, NODE_ENV) and sends them via HTTPS GET to a Burp Collaborator OAST endpoint at qzt3b82juki138pb8n4nwg5f0664uvik.oastify.com (postinstall.js lines 11, 36-43). Second, it opens a TCP socket to the hardcoded address 10.10.10.247:4444 and pipes a /bin/sh (or cmd.exe on Windows) child process's stdio through the socket, granting an interactive remote shell to whoever controls that endpoint (postinstall.js lines 55-63). The package's own README ( Takeover By lobo ) and description ( Security research canary — vercel ) confirm the takeover/backdoor intent. Any environment running npm install on this package is fully compromised: identity leaked plus arbitrary remote code execution.
Source: amazon-inspector (1575dee70b1f079b297d26405595aa16591e62de8fac896cf9ea485d6f534132)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.