OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5188 confirms this npm version as malicious. package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2)...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution with blocking evidence.
package.json#scripts.postinstallView on unpkg · L1Source appears to send environment or credential material to an external endpoint.
package.json#scripts.postinstallView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
package.json#scripts.postinstallView on unpkg · L1