web-model-bridge @9999.99.99
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5697
Ecosystem
npm
Summary
On npm install , postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS, CI-detection result, and the GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW environment variables when present. A DNS-lookup fallback encodes the same identifiers as a subdomain under *.b.ddactic-lab.online so the leak still completes even when HTTP egress is filtered — a pattern intended specifically to defeat egress controls. The package itself is a hollow placeholder: package.json describes it as an npm 404 error reference and index.js does nothing but require('web-model-bridge') (its own name) inside a try/catch, so the only effect of installing it is the install-time beacon. Any CI pipeline whose dependency tree references this name will leak the owning GitHub org/repo/workflow identity to an unrelated third-party domain on every build.
Source: amazon-inspector (3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.