npm

webrix-docs @20.2.11

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10080

Ecosystem

npm

Summary

package.json declares preinstall: node index.js , which runs automatically on npm install . index.js collects host reconnaissance data — os.hostname(), os.userInfo() (username, uid, gid, homedir), process.platform, cwd, and the output of whoami / id spawned via child_process — and POSTs it as JSON to the hardcoded URL https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56 (a Burp Collaborator / oastify.com out-of-band interaction subdomain). The package has an empty description and author, no library code, and a name that mimics the legitimate webrix UI library — consistent with a typosquat/dependency-confusion lure whose only purpose is the install-time beacon.

Source: amazon-inspector (bec06de7c68db5cdd90e4b05be057a583f1a2318174916af07ed86d52a5011fc)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.