npm

wsh4_npm @1.0.0

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC

Malicious

OSV ID

MAL-2026-6954

Ecosystem

npm

Summary

On npm install , the package's postinstall hook ( scripts.postinstall: node index.js ) auto-executes index.js, which builds a payload containing the absolute installation path (which reveals the installer's OS username via the home directory prefix), the Node.js version, platform, and architecture, and POSTs it to a hardcoded Discord webhook at discord.com/api/webhooks/1523336123319849031/... controlled by the author. The package's default internal name is whs4_typo and its README states it is intended to notify on typo installs; there is no legitimate functionality beyond the beacon. This is a typosquat-style reconnaissance beacon: the attacker gains identifying information about developers/build systems that mistype a target package name, on every install, with no user consent.

Source: amazon-inspector (9b6c0b02642cf1c4c0fe420fd03c0c129c21a544144878df4833373da1b98aab)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.