registry  /  library-explorer  /  25.2.1

library-explorer@25.2.1

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10205 confirms this npm version as malicious. package.json declares `preinstall: node index.js`. On `npm install`, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out `whoami` and (non-Windows) `id` via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56...

Advisory
MAL-2026-10205
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in library-explorer (npm)
Details
package.json declares `preinstall: node index.js`. On `npm install`, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out `whoami` and (non-Windows) `id` via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.
Decision reason
OpenSSF Malicious Packages via OSV confirms library-explorer@25.2.1 as malicious (MAL-2026-10205): Malicious code in library-explorer (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory