OSV ID
MAL-2026-6954
Ecosystem
npm
Summary
On npm install , the package's postinstall hook ( scripts.postinstall: node index.js ) auto-executes index.js, which builds a payload containing the absolute installation path (which reveals the installer's OS username via the home directory prefix), the Node.js version, platform, and architecture, and POSTs it to a hardcoded Discord webhook at discord.com/api/webhooks/1523336123319849031/... controlled by the author. The package's default internal name is whs4_typo and its README states it is intended to notify on typo installs; there is no legitimate functionality beyond the beacon. This is a typosquat-style reconnaissance beacon: the attacker gains identifying information about developers/build systems that mistype a target package name, on every install, with no user consent.
Source: amazon-inspector (9b6c0b02642cf1c4c0fe420fd03c0c129c21a544144878df4833373da1b98aab)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.