OSV ID
MAL-2026-6950
Ecosystem
npm
Summary
The package's postinstall script runs node index.js on install, which invokes reportLoadedFrom to POST installer-side data to a hardcoded Discord webhook ( discord.com/api/webhooks/1523336123319849031/... ). The transmitted payload includes the absolute filesystem path of the install location (which leaks the user's home directory / username), the Node.js version, and process.platform / process.arch . There is no disclosure, opt-in, or configuration surface — the destination is a fixed author-controlled channel. Package naming ( whs4_nmp , internal default whs4_typo ) and README framing ( typo 발생시 안내합니다 ) indicate a dependency-confusion / typosquat probe designed to notify the author whenever a mistyped install lands on a real machine, harvesting host identifiers without consent.
Source: amazon-inspector (53a1fc3c42fcd64070dd50db1ed23a9f238bd10fea9bba087cb605f7419af28c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.