two-factor-prompt-lib @0.0.1-poc
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6414
Ecosystem
npm
Summary
Package self-identifies as a dependency-confusion proof-of-concept aimed at an internal/private package name. The postinstall script (postinstall.js) prints the host's hostname and current timestamp to local stdout via console.log; it performs no network I/O, no remote fetch, no credential access, and no filesystem modification beyond what npm itself does on install. While the current payload is benign (local logging only), the package's stated purpose is to demonstrate that an organization installing the public name would unintentionally pull this package in place of an internal counterpart. Routing to human review so an organization can decide whether to claim/block the name in their internal namespace.
Source: amazon-inspector (95ebb96758f051c0a5a1c8fe97fb05c898f2489f4567fb64fbd271eb103dcadc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.