verify-mycommand @2.0.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4344
Ecosystem
npm
Summary
On npm install , postinstall.js executes whoami and id , collects host identity (hostname, platform, cwd) and CI metadata (CI, GITHUB_REPOSITORY, NODE_ENV environment variables), and beacons the data via HTTPS GET to a hardcoded Burp Collaborator subdomain md3zp4gf8gwxh437mjijacjbe2ky8pwe.oastify.com . A DNS lookup of <whoami>.<host> is also performed for out-of-band exfiltration. The package's own metadata describes it as a 'Security research canary' with a 'Takeover By lobo' marker, consistent with a dependency-confusion proof-of-concept or namespace hijack — but the install-time behavior is real exfiltration of installer identity and CI context to an attacker-controlled OAST endpoint regardless of stated intent. Any machine running npm install for this package leaks host and CI identifiers to a third party.
Source: amazon-inspector (2f94ffb54a2471d0cc94ce1ea88f741e034221a374f17bfadbd609cb22f14f24)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.