npm

webrix-docs1 @10.2.11

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10081

Ecosystem

npm

Summary

The package declares a preinstall hook ( node index.js ) that fires automatically on npm install . The script requires child_process , os , https , and http , collects hostname, platform, arch, username/uid/gid, shell, home directory, CPU/memory stats, cwd, and the output of whoami / id , then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at https://c7kfuaf25guwigaz6r03kxet0k6bu3is.oastify.com/detox56 . The package has an empty description and empty author, presents no advertised functionality, and its name mimics the webrix project — consistent with dependency-confusion/typosquat recon. Installing the package directly leaks installer host and user identifiers to an attacker-controlled OAST endpoint.

Source: amazon-inspector (20cdefe1415c5b5245f36b10ea0de9033433b479768c2cc785ad2742b9433fce)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.