@ceeferenderer/fe-renderer-sdk @99.9.9

Summary

Package runs malicious code both at install time (package.json install script: node index.js ) and at require time ( main: index.js ). index.js silently requires ./lib/core inside a try/catch. lib/core.js, with the help of two obfuscated helper modules (lib/b02e30.js and lib/6ad264.js), builds the strings 'os', 'dns', and 'oob.sl4x0.xyz' from numeric character-code arrays via String.fromCharCode and loads built-in modules through module.constructor._load(...) to evade static inspection. It then assembles the subdomain ceefe.<username>.<hostname>.<cwd_basename>.<unix_timestamp>.oob.sl4x0.xyz and issues a dns.resolve4() lookup, exfiltrating the installer's OS username, hostname, and working-directory name to an attacker-controlled domain over DNS. The combination of auto-execution on install and require, character-code obfuscation of both the target domain and built-in module names, DNS (rather than HTTP) as the exfil channel, random-hex-named helper files, and silent try/catch swallowing of errors is an unambiguous credential-reconnaissance beacon.

Source: amazon-inspector (feee20bafab758bb648bbe425a100a13e6d21799552a2b5566fe6029faef6ce4)