type-check-816d @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6101
Ecosystem
npm
Summary
The package declares a postinstall hook ("postinstall": "node run.js") that runs run.js automatically on npm install . run.js imports os, https, http, and child_process, reads host identifiers and environment data (process.env.USER, os.hostname(), os.platform(), process.cwd()), base64-encodes the payload (Buffer.from(...).toString('base64')), and exfiltrates it via outbound HTTP/HTTPS requests (multiple POST calls and a GET). The package name appears to be a numeric-suffixed lure with no legitimate documented purpose, and the postinstall behavior is a credential/host-recon exfiltration pattern rather than any build or setup task. Installing this package causes immediate, unattended exfiltration of installer host data to an attacker-controlled endpoint.
Source: amazon-inspector (6bd3f7912317a2b9465a4c22ea948951f70aaa8c0d12f152572d43febc5667dd)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.