OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10615 confirms this npm version as malicious. package.json declares a preinstall hook that runs index.js. On npm install, index.js collects host reconnaissance from the installer (os.hostname(), os.userInfo(), os.platform(), os.arch(), homedir, uid/gid, shell, plus the output of `whoami`, `id`, and cwd via child_process) and POSTs the resulting JSON to the hardcoded URL https://rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com/detox56. oastify.com is a Burp Suite...
Decision evidence
public snapshotSource & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg