registry  /  conversionvaluemanager  /  3.0.0

conversionvaluemanager@3.0.0

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10084 confirms this npm version as malicious. On npm install, postinstall.js automatically runs and gathers installer-identifying data (os.hostname(), os.userInfo(), os.platform(), cwd, Node version, timestamp), then sends it as query-string parameters via plain-HTTP GET to a Burp Collaborator subdomain at aq4v2egelzh9n07h3l9d2b5mvd14pvdk.oastify.com/adjust-dep-confusion. The package.json description self-identifies as a dependency-confusion proof-of-concept...

Advisory
MAL-2026-10084
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in conversionvaluemanager (npm)
Details
On npm install, postinstall.js automatically runs and gathers installer-identifying data (os.hostname(), os.userInfo(), os.platform(), cwd, Node version, timestamp), then sends it as query-string parameters via plain-HTTP GET to a Burp Collaborator subdomain at aq4v2egelzh9n07h3l9d2b5mvd14pvdk.oastify.com/adjust-dep-confusion. The package.json description self-identifies as a dependency-confusion proof-of-concept ("PoC - Dependency Confusion - Bug Bounty by ha4x0r"), and the package name targets an internal/private package name. Any organization whose build misresolves to this public package leaks host, user, and environment identifiers to the third-party Collaborator endpoint on install. PoC/bug-bounty framing does not change the installer-side impact: the beacon fires on every install.
Decision reason
OpenSSF Malicious Packages via OSV confirms conversionvaluemanager@3.0.0 as malicious (MAL-2026-10084): Malicious code in conversionvaluemanager (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory