OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10181 confirms this npm version as malicious. On `npm install`, both preinstall and postinstall lifecycle hooks execute index.js, which collects host reconnaissance (os.hostname(), os.userInfo().username, os.homedir(), current working directory, DNS servers from dns.getServers(), and package metadata) and exfiltrates it via DNS lookup and an HTTPS POST to a subdomain of oast.fun (interact.sh OAST collaborator)...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource collects local host identity data and sends it to an external endpoint.
index.jsView on unpkg · L1Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg