unicocheck-ios @9.9.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5831
Ecosystem
npm
Summary
package.json declares a preinstall lifecycle script that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters carrying the installer's hostname, username ($(whoami)), current working directory, OS uname output, and HOME path. This fires automatically on npm install before any user code runs, leaking host identifiers and environment context to a third-party webhook capture endpoint controlled by the publisher. The package metadata (name unicocheck-ios , description Unico Check iOS SDK - biometric identity verification , version 9.9.9 ) impersonates the Unico vendor's iOS SDK and uses the canonical dependency-confusion sentinel version, indicating the package is positioned to win resolution against an internal package name and harvest data from build environments that mistakenly fetch it from the public registry.
Source: amazon-inspector (bafc91c569cf42c5f1ff68531a8d5238919f595368ffa90b7d4e5bcc74fe9788)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.