Vulnerability
Malicious code in gpt-sdk (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8b9bdc5e04979d5b4f73407bcedaecc9df24dbb03e0bfbc0edefe333023dc50c) On `npm install`, postinstall.js runs unconditionally and collects a wide range of installer-side reconnaissance data: hostname and FQDN, contents of /etc/hosts (non-loopback entries, often internal domain controllers and service mappings on corporate machines), Windows Active Directory variables (USERDNSDOMAIN, USERDOMAIN, LOGONSERVER), USERNAME, USERPROFILE, OneDrive folder name (frequently contains the company name), VPN client signals, the configured npm registry URL, and CI repository identifiers (GITHUB_REPOSITORY, CIRCLE_*, CI_PROJECT_PATH, BITBUCKET_REPO_FULL_NAME, BUILD_REPOSITORY_URI, TRAVIS_REPO_SLUG, JENKINS_URL, CI_SERVER_URL). The collected fields are concatenated into a query string and sent via plaintext HTTP GET to http://46.224.67.169:3000/ping. The package's main module is empty (`module.exports = {}`), so the postinstall beacon is the package's only effect, and the README falsely claims `No data is collected.` This is a classic supply-chain reconnaissance/targeting payload designed to map corporate networks, internal AD topology, and CI/CD environments of installers.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence