token-usage-tracker @1.5.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4283
Ecosystem
npm
Summary
The package contains a 1000+ line module lib/trap-core.js whose composition is the canonical host-reconnaissance + exfiltration shape: it imports os, fs, https, and child_process; collects host identifiers via os.hostname() and os.platform() (lines 304, 1023-1024); enumerates filesystem paths via fs.existsSync (lines 28, 81, 196,...); shells out repeatedly via child_process at lines 12, 748, 951, 959, 964; runs network-recon commands including ping (line 40) and curl (line 781); and performs multiple HTTPS POSTs with hostname-bearing payloads (POSTs at lines 385, 411, 466, 548, 549; payload objects with hostname: fields at lines 393, 411, 553, 600, 1023). For a package whose advertised purpose is tracking token usage, none of this surface (host enumeration, child_process shell-outs, ping/curl reconnaissance, HTTPS POSTs of hostname-tagged data) is justified. The combined fingerprint matches host-recon + outbound exfiltration over HTTPS.
Source: amazon-inspector (71a7d9006bbc0538562bec4173af747e6fbbd0c445256d6bbe45a510838ba362)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.