@clearpool/utils @100.0.0

Summary

package.json declares preinstall and install lifecycle hooks that collect installer-identifying data ( whoami , hostname , pwd , $npm_package_name ), base64-encode it, and transmit it to attacker-controlled infrastructure at *.callback.m0chan.co.uk via two independent channels: an HTTPS GET with the encoded payload in the URL path, and a DNS lookup embedding the encoded package name as a subdomain label (DNS-tunnel exfiltration to bypass HTTP egress filters). The package uses the @clearpool scope with version 99.99.99 and empty author metadata — classic dependency-confusion markers aimed at hijacking resolution of an internal package name within organizations that use this scope privately. Any developer or CI system running npm install with this package resolved will leak user, host, working directory, and the requested internal package name to the attacker, providing reconnaissance for follow-on targeted attacks.

Source: amazon-inspector (81591bb660ad3ae2036615d00a3ff6960ccd2f36789a4f0df65a53ea7a557336)