vybscan-testbed-inert-postinstall @1.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10078
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle script that runs id and reads the process environment, piping the collected host identity and environment variables to a remote endpoint via curl. This fires automatically on npm install without user interaction, causing the installer's environment variables (which routinely contain credentials, tokens, and API keys) and user/host identity to be transmitted off-host to an attacker-controlled destination.
Source: amazon-inspector (f4e6f35e49b7701bb75a88eb63fcf918c389272d5282093c8422d9e1f388dd38)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.