npm

vybscan-testbed-inert-postinstall @1.0.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10078

Ecosystem

npm

Summary

package.json declares a postinstall lifecycle script that runs id and reads the process environment, piping the collected host identity and environment variables to a remote endpoint via curl. This fires automatically on npm install without user interaction, causing the installer's environment variables (which routinely contain credentials, tokens, and API keys) and user/host identity to be transmitted off-host to an attacker-controlled destination.

Source: amazon-inspector (f4e6f35e49b7701bb75a88eb63fcf918c389272d5282093c8422d9e1f388dd38)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.