VDB
KO

MAL-2026-10084

Malicious code in conversionvaluemanager (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (21445a74cc1c4d33c89f1a7d8c357c79d5adb11cda135c813676b23c875418e9) On npm install, postinstall.js automatically runs and gathers installer-identifying data (os.hostname(), os.userInfo(), os.platform(), cwd, Node version, timestamp), then sends it as query-string parameters via plain-HTTP GET to a Burp Collaborator subdomain at aq4v2egelzh9n07h3l9d2b5mvd14pvdk.oastify.com/adjust-dep-confusion. The package.json description self-identifies as a dependency-confusion proof-of-concept ("PoC - Dependency Confusion - Bug Bounty by ha4x0r"), and the package name targets an internal/private package name. Any organization whose build misresolves to this public package leaks host, user, and environment identifiers to the third-party Collaborator endpoint on install. PoC/bug-bounty framing does not change the installer-side impact: the beacon fires on every install.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / conversionvaluemanager

No fixed version published yet for conversionvaluemanager (npm). Pin to a known-safe version or switch to an alternative.

References