Vulnerability
Malicious code in zer0onedatetool (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52) The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated by Burp Collaborator / Project Discovery's interactsh. On every npm install, the script triggers an outbound HTTP request to an attacker-controlled OOB endpoint, which is the canonical fingerprint of a dependency-confusion / supply-chain reconnaissance payload (verifying the package landed in a victim environment and beaconing identifying host information out). The destination is not associated with any legitimate package functionality. Installer impact: any machine running `npm install` on this package automatically beacons to the attacker's OOB collector, leaking install-time host metadata and confirming code execution to the attacker.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence