OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5188 confirms this npm version as malicious. package.json declares a postinstall script that, on npm install, (1) enumerates process.env plus os.hostname(), os.platform(), os.arch(), and whoami output, base64-encodes the collected data, and issues an HTTP GET to a hardcoded pipedream request-bin at http://eodxy50gl486xrx.m.pipedream.net/, exfiltrating installer environment variables and host identity to an attacker-controlled endpoint over cleartext HTTP; (2)...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
package.json#scripts.postinstallView on unpkg · L1Source collects local host identity data and sends it to an external endpoint.
package.json#scripts.postinstallView on unpkg · L1Source reaches cloud instance metadata or link-local credential endpoints.
package.json#scripts.postinstallView on unpkg · L1