Vulnerability
Malicious code in node-stack-frames (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158) package.json declares a preinstall script that runs an inline Node program on `npm install`. The script requires `os` and `http`, collects `os.hostname()`, `os.platform()`, and `os.arch()`, base64-encodes the result, and issues an HTTP GET to `https://d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live/?data=<encoded>`. The host is a Project Discovery interactsh (OAST) subdomain used as an out-of-band collection endpoint. The package ships no functional code — its own description identifies it as a security holding placeholder — so the only effect of installing it is the automatic exfiltration of installer host identifiers to an attacker-controlled collector. This matches a dependency-confusion / recon beacon pattern.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence