OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10099 confirms this npm version as malicious. On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INIT_CWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource collects local host identity data and sends it to an external endpoint.
postinstall.jsView on unpkg · L19Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
postinstall.jsView on unpkg · L19