walmart-shared-modules @99.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4710
Ecosystem
npm
Summary
Package declares preinstall: node poc.js , which on npm install collects host identity (os.hostname, whoami/id, ipconfig/ip a output), scrapes environment variables matching credential-shaped prefixes (TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, JENKINS, CI_, WALMART, WMT), reads the parent project's package.json and CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile), and HTTPS POSTs the aggregated JSON to a hardcoded interactsh OOB endpoint at d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me, plus a DNS callback with a hex-encoded hostname/username. The package is published at version 99.0.1 with a self-described 'Dependency Confusion PoC' purpose targeting Walmart's internal walmart-shared-modules namespace, intended to win npm's highest-version-wins resolution. Any installer outside Walmart's authorized testing scope still suffers full environment and CI-secret exfiltration; self-declared 'security research' framing does not neutralize the harm to unrelated installers.
Source: amazon-inspector (e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.