OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10201 confirms this npm version as malicious. package.json declares a `postinstall` script that runs `node index.js`. On `npm install`, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec...
Advisory
MAL-2026-10201
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in bugexploit (npm)
Details
package.json declares a `postinstall` script that runs `node index.js`. On `npm install`, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.
Decision reason
OpenSSF Malicious Packages via OSV confirms bugexploit@99.9.9 as malicious (MAL-2026-10201): Malicious code in bugexploit (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory