OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6696 confirms this npm version as malicious. @businessapp-microsites/apis@9999.0.2 is a dependency-confusion squat against the private scope `@businessapp-microsites`, published with an implausibly high version (9999.0.2) to outrank any internal registry copy. On `npm install`, its postinstall.js runs child_process.execSync to collect `hostname`, `whoami`, and `uname -a` / `ver`, combines this with os.hostname(), os.userInfo(), and CI attribution env vars...
Decision evidence
public snapshotSource & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
postinstall.jsView on unpkg · L11