npm

whs4_pnm @1.0.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6953

Ecosystem

npm

Summary

The package declares a postinstall script ( node index.js ) that runs unconditionally on npm install . The script POSTs the absolute __filename path (which contains the installer's OS username via the home-directory prefix), the Node.js version, and the platform/architecture to a hardcoded Discord webhook at https://discord.com/api/webhooks/1523336123319849031/... . There is no opt-in, disclosure, or configuration option — every install silently transmits host-identifying data to an author-controlled endpoint. The package's own README and default internal packageName value ( whs4_typo ) indicate the package is positioned as a typo-target beacon, matching the typosquat-with-callback pattern where the attacker collects fingerprints of developers who mistype a legitimate package name.

Source: amazon-inspector (47d72187d8b59a9a40cb8397d064bc7319b20e19ee7d48b870432bd96952b089)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.