triage-bot @1.0.1
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6346
Ecosystem
npm
Summary
package.json declares preinstall: node index.js , so the payload runs automatically on npm install with no user action. index.js requires os , fs , and https , then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com , a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.
Source: amazon-inspector (2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.