npm

utils-style-engine @10.2.4

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10609

Ecosystem

npm

Summary

The package declares a preinstall hook that runs index.js on npm install. index.js collects host identifiers (os.hostname(), os.userInfo(), uid/gid, shell, homedir, process.platform, cwd, and the output of whoami / id via child_process) and POSTs the collected data as JSON to a hardcoded external endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56 (a Burp Suite Collaborator subdomain). The package ships no other functionality: package.json has an empty description, empty author, no repository, and the generic name utils-style-engine ; the only shipped file besides the manifest is the beacon script. The shape is consistent with a dependency-confusion / reconnaissance probe.

Source: amazon-inspector (3049309c5f74bd1b453bcd51803cb7b8ddbbab2d3038f10d13e11a592dff6f52)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.