Supply-chain threat intelligence
Risk score
92
Indexed incident for ac-raf-emitter (npm).
package.json declares a preinstall lifecycle script that runs curl -X POST against a hardcoded webhook.site collector URL (https://webhook.site/54919426-084d-4288-8f80-e36ae5c76e32), passing the installer's hostname and a timestamp as query parameters. The exfiltration fires automatically on npm install before any consumer code runs. The destination is an anonymous, author-controlled request-inspection endpoint with no legitimate role in the package's advertised functionality.
Affected versions
Indicators
Timeline