@whatnot-web/www-legacy@99.1.1 is a dependency-confusion shell targeting the Whatnot org scope. The package ships an empty library (index.js exports {}), a generic description, blank author, and an inflated version (99.1.1) — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name. On npm install, postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a 2-level directory listing of the working directory, base64-encodes the JSON payload, and POSTs it via HTTPS to the hardcoded interactsh collector wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun. A hex-encoded DNS-lookup fallback to the same host is included to defeat HTTPS egress filtering. The collected information identifies internal build hosts and source-tree layouts and is suitable for staging follow-on attacks against the targeted organization.

The OpenSSF Package Analysis project identified '@whatnot-web/www-legacy' @ 99.1.2 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.