OSV Malicious Advisory
scanned 8d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6396 confirms this npm version as malicious. signup-embedder@99.99.99-poc2 ships preinstall.js and postinstall.js lifecycle scripts that auto-execute on `npm install`. preinstall.js collects hostname, current working directory, pid, Node version, platform/arch, user, and the list of environment variable names, and POSTs them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7; it also performs a DNS lookup against...
Advisory
MAL-2026-6396
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in signup-embedder (npm)
Details
signup-embedder@99.99.99-poc2 ships preinstall.js and postinstall.js lifecycle scripts that auto-execute on `npm install`. preinstall.js collects hostname, current working directory, pid, Node version, platform/arch, user, and the list of environment variable names, and POSTs them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7; it also performs a DNS lookup against `<timestamp>.callbacks.report` for out-of-band confirmation. postinstall.js POSTs a similar host fingerprint (host, cwd, pid, node, platform) to the same webhook.site URL. The package's own description and comments label it a 'HubSpot dependency confusion PoC', and the 99.99.99-poc2 version is the canonical high-version shape used to win resolution against an internal package of the same name. Regardless of the 'PoC' framing, the package is published on the public npm registry and any installer (CI, developer machine, internal build) that resolves the name will have its host identifiers and environment variable names beaconed to an attacker-controlled collector and DNS sink, enabling internal-network mapping and follow-on targeting.
## Source: ghsa-malware (8595830013c2298b23fd077af3a2e8ce9722520fdfff68d04ef8135ce11173ca) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms signup-embedder@99.99.99-poc3 as malicious (MAL-2026-6396): Malicious code in signup-embedder (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory