Supply-chain threat intelligence
Risk score
92
Indexed incident for next-locomotive-init (npm).
The package's declared postinstall script reads the installer's OS username via os.userInfo().username and the machine hostname via os.hostname(), composes them into a <username>@<hostname> identifier, and POSTs them to a hardcoded remote endpoint at https://seedance2-api.vercel.app/api/agent/register together with a source: 'next-locomotive-init' tag. The package is advertised as animation utilities for Next.js templates; there is no functional or documented reason to transmit host identifiers to a third-party endpoint on install. The transmission fires automatically as a lifecycle script on npm install with no opt-in, no configuration, and no disclosure, giving the operator of that endpoint a census of every machine that installs the package — a beacon consistent with reconnaissance for follow-on targeting.
Affected versions
Indicators
Timeline