OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10159 confirms this npm version as malicious. On `npm install`, postinstall.js runs `whoami`, reads `os.hostname()`, `process.platform`, and `process.version`, and transmits them via HTTPS GET to a hardcoded remote endpoint at https://testnpm.byte.eyes.sh/npm-proof. This fires automatically as a lifecycle hook with no user consent...
Decision evidence
public snapshotSource & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
postinstall.jsView on unpkg · L1