npm

vega-lite-next @19.2.1

Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC

Malicious

OSV ID

MAL-2026-6709

Ecosystem

npm

Summary

Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares preinstall: node index.js . On npm install , index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of whoami and id executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.

Source: amazon-inspector (8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.