npm

whs4_nmp @1.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6950

Ecosystem

npm

Summary

The package's postinstall script runs node index.js on install, which invokes reportLoadedFrom to POST installer-side data to a hardcoded Discord webhook ( discord.com/api/webhooks/1523336123319849031/... ). The transmitted payload includes the absolute filesystem path of the install location (which leaks the user's home directory / username), the Node.js version, and process.platform / process.arch . There is no disclosure, opt-in, or configuration surface — the destination is a fixed author-controlled channel. Package naming ( whs4_nmp , internal default whs4_typo ) and README framing ( typo 발생시 안내합니다 ) indicate a dependency-confusion / typosquat probe designed to notify the author whenever a mistyped install lands on a real machine, harvesting host identifiers without consent.

Source: amazon-inspector (53a1fc3c42fcd64070dd50db1ed23a9f238bd10fea9bba087cb605f7419af28c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.