npm · registry.npmjs.org
@fanboynz/network-scanner
DNS / OAST exfiltration: matched "dig lookups - COMPLETE FIXED VERSION\n * Provides domain analysis capabilities with proper timeout handling, custom whois servers, and retry logic\n */\n\n// execFile (no shell) for whois/dig invocations -- arguments are passed\n// directly to the executable as an argv array, so shell metacharacters in\n// config-supplied hostnames or server names CANNOT execute commands. The\n// prior `exec(string)` approach interpolated tainted values into a shell\n// string protected only by double-quoting, which doesn't stop $("
Why PkgRadar flagged 3.4.0
| Severity | Signal | Evidence |
|---|---|---|
| high | DNS / OAST exfiltration | matched "dig lookups - COMPLETE FIXED VERSION\n * Provides domain analysis capabilities with proper timeout handling, custom whois servers, and retry logic\n */\n\n// execFile (no shell) for whois/dig invocations -- arguments are passed\n// directly to the executable as an argv array, so shell metacharacters in\n// config-supplied hostnames or server names CANNOT execute commands. The\n// prior `exec(string)` approach interpolated tainted values into a shell\n// string protected only by double-quoting, which doesn't stop $(" · package/lib/nettools.js |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
3.4.0 | High risk | 21 | 2026-06-13 |
3.0.3 | High risk | 29 | 2026-06-10 |
3.3.0 | High risk | 21 | 2026-06-10 |
3.2.0 | High risk | 21 | 2026-06-10 |
3.0.2 | High risk | 29 | 2026-06-10 |
3.0.1 | High risk | 29 | 2026-06-10 |
3.0.0 | High risk | 29 | 2026-06-10 |
3.1.2 | High risk | 21 | 2026-06-10 |
3.1.0 | High risk | 21 | 2026-06-10 |
Block this in CI
pkgradar gate --ecosystem npm @fanboynz/[email protected]