Vulnerability
Malicious code in node-app-doctor (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e) collect.js gathers host identifiers via os.hostname() and os.homedir(), reads local filesystem state with fs.existsSync, spawns child_process commands, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net. The destination domain is unrelated to any legitimate npm/Node tooling publisher and there is no plausible benign reason for a 'node app doctor' utility to ship installer/host telemetry to that host. The combination of system enumeration (hostname, home directory, child_process), filesystem inspection, and hardcoded plaintext HTTP POST to an unaffiliated domain is the standard host-fingerprint exfiltration shape.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence