vaults-monitor-cron @999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5784
Ecosystem
npm
Summary
On npm install , the package's preinstall hook ( node postinstall.js || true ) executes automatically. The script collects hostname, username, and current working directory, then iterates process.env and filters keys matching the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i, capturing CI tokens, SSH keys, deploy credentials, cloud API keys, RPC/wallet secrets, and similar. The collected JSON payload is POSTed via https.request to the hardcoded bare IP 185.130.46.35:8443/collect. The package metadata reinforces the attack shape: version 999.0.0 and description "Internal package" are the canonical dependency-confusion pattern, intended to override an organization's internal vaults-monitor-cron package. The || true suffix on the preinstall command swallows errors so the install appears to succeed silently. There is no legitimate functionality in the package — its sole on-install effect is credential exfiltration.
Source: amazon-inspector (b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.