token-prices-cron @999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5782
Ecosystem
npm
Summary
On npm install , the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), and bundles them with hostname, username, cwd, and npm registry/prefix metadata. The collected payload is POSTed over the network to a hardcoded bare IP at 185.130.46.35:8443 — no domain, no TLS verification context, no documented purpose. The package itself is a hollow shell: index.js is module.exports = {} , the description is 'Internal package', and the version is 999.0.0 — the canonical dependency-confusion shape designed to win resolution against a private-registry package of the same name and trigger the credential harvester on corporate build machines. A source comment confirms intent ('Exfil CI environment variables on install').
Source: amazon-inspector (10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.