voyager-web @999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5696
Ecosystem
npm
Summary
package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install . callback.js collects installer-side identifiers (os.hostname(), username, uid/gid, homedir, platform, cwd, local IP, external IP via https://api.ipify.org, Node version, package name) and CI environment indicators (presence of GITHUB_TOKEN/AWS_ACCESS_KEY_ID/NPM_TOKEN, GITHUB_REPOSITORY, GITHUB_ACTOR, JENKINS_URL, etc.) and POSTs the JSON payload to a hardcoded Discord webhook at discord.com/api/webhooks/1514602063399747595/<redacted>. A DNS-based exfiltration fallback is also present. The package name typosquats Reddit's open-source voyager-web and the version 999.0.0 is the canonical dependency-confusion version-bump used to override an internal/private package of the same name. Self-described as a security research PoC, but the binary effect on any non-consenting installer is automatic exfiltration of host and CI credentials/metadata to an attacker-controlled channel.
Source: amazon-inspector (a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.