VDB
KO

MAL-2026-10085

Malicious code in dependency_confusions (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2c5eab14c78cbbb6e4b580162a242817f899f6529485cb7f9197b6dfe05a3413) package.json declares a postinstall hook that runs index.js on npm install. On execution, index.js collects the installer's OS username (os.userInfo()), hostname (os.hostname()), current working directory, local IPv4 address, and platform (os.platform()), then POSTs the collected fields as JSON to a hardcoded webhook.site endpoint (https://webhook.site/264e1903-28ea-48ea-8c55-be58c5a76791). Fires automatically as a lifecycle hook without user consent, matching the classic dependency-confusion reconnaissance beacon: the exfiltrated username/hostname/cwd/localIP reveal internal build hosts and internal package namespaces that an attacker uses to target follow-on dependency-confusion attacks against the victim's private registry.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / dependency_confusions

No fixed version published yet for dependency_confusions (npm). Pin to a known-safe version or switch to an alternative.

References