Vulnerability
Malicious code in workflow-postgres-setup (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963) The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry `index.js` is absent from the tarball. Its only functional code is `bin/run.js`, which on invocation (via `npx workflow-postgres-setup` or the installed bin) reads `process.env.INIT_CWD || process.cwd()`, takes the basename, and POSTs it as JSON to a hardcoded third-party endpoint at `https://deepbounty.dd06-dev.fr/cb/33d63669-244d-4409-9fba-eb1d32d10cc1`. The package's own description self-identifies as a dependency-confusion / npx-typosquat proof-of-concept. Project directory names can themselves be sensitive (internal codenames, customer names, unreleased product identifiers), and the beacon attributes the leak to a specific tracking ID controlled by the operator of the callback domain. The generic, functionality-promising name is consistent with typosquat / dependency-confusion bait targeting developers searching for Postgres setup tooling.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence