PkgRadar

npm · registry.npmjs.org

nerv-viper

DNS / OAST exfiltration: matched "burpcollaborator.net"

Why PkgRadar flagged 3.7.4

SeveritySignalEvidence
highDNS / OAST exfiltrationmatched "burpcollaborator.net" · package/src/phases/exploit-engine.js
mediumRemote Payloadmatched "curl " · package/src/setup.js

Scanned versions

VersionVerdictScoreScanned (UTC)
3.7.4High risk472026-06-10
3.7.5High risk472026-06-10

Block this in CI

PkgRadar gates nerv-viper (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence