registry  /  @sudoughnym/enviro-demo  /  99.99.99

@sudoughnym/enviro-demo@99.99.99

Security research PoC - HubSpot enviro version elevation. Deprecated after demonstration.

HubSpot enviro version elevation PoC - demonstrates dependency confusion via semver version gap

OSV Malicious Advisory

scanned 4m ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6697 confirms this npm version as malicious. @sudoughnym/enviro-demo@99.99.99 ships preinstall.js and postinstall.js lifecycle scripts that run automatically on `npm install`. Both scripts collect host identifiers and environment metadata — os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total env count — and POST them as JSON to...

Advisory
MAL-2026-6697
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @sudoughnym/enviro-demo (npm)
Details
@sudoughnym/enviro-demo@99.99.99 ships preinstall.js and postinstall.js lifecycle scripts that run automatically on `npm install`. Both scripts collect host identifiers and environment metadata — os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total env count — and POST them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7, a third-party webhook capture service not associated with the package's stated publisher. The package version (99.99.99) and its own description identify it as a dependency-confusion proof-of-concept targeting an internal `enviro` package name; the inflated semver is intended to outrank private-registry versions so internal build systems resolve to this public package. Installer harm: any build or developer machine that resolves to this version leaks host identity and environment-variable layout (which can include secret-bearing variable names) to an attacker-controlled endpoint on every install.
Decision reason
OpenSSF Malicious Packages via OSV confirms @sudoughnym/enviro-demo@99.99.99 as malicious (MAL-2026-6697): Malicious code in @sudoughnym/enviro-demo (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory