npm

worker-build @9.0.2

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-5677

Ecosystem

npm

Summary

package.json declares "postinstall": "node main.js" , so installation of worker-build@9.0.1 unconditionally executes main.js on npm install . main.js collects host identity (os.hostname(), os.userInfo().username, os.homedir(), process.cwd(), process.argv), reads the consumer's package.json, runs git config --get remote.origin.url , and iterates a hardcoded list of credential-shaped environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, NPM_TOKEN, GITHUB_TOKEN, GITLAB_TOKEN, API_KEY, SECRET_KEY, PASSWORD, TOKEN, DATABASE_URL, MONGODB_URI, REDIS_URL), capturing the first 50 characters of each populated value. The collected JSON payload is POSTed in cleartext to http://jh4wt1kccd0ul174qgmge9n8izozcu0j.oastify.com/exfil and /api/exfil , with an additional DNS lookup against the same host as a side-channel beacon. The package name mimics legitimate Cloudflare Workers build tooling, positioning the package for dependency-confusion against installers that misresolve an internal name to the public registry.

Source: amazon-inspector (0e11b6161f4fe3c591bddadbf275003eaac33a1478cda408ac51d85230292e6d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.