@databus-service-ui/scroll-up-content @9.9.10

Summary

scripts/postinstall.js performs two independent attacker-benefit actions when npm install runs. First, it scrapes installer-side secrets — environment variables matching npm_token, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, node_auth_token, npm_config__auth, artifactory_token, nexus_token — plus the contents of ~/.npmrc, /etc/npmrc, cwd/.npmrc, and../.npmrc, along with hostname, user, CI flags, and PATH, and POSTs the bundle to https://oob.moika.tech/report with an X-Secret header. Second, it fetches a per-OS payload from https://oob.moika.tech/payload/{linux|mac|win} with no pinning and no hash verification, writes it to the OS temp directory as._databus-service-ui_init.sh /.bat, chmods 0755, and spawns it via /bin/sh or cmd.exe in a detached, stdio-ignored process. The package scope (@databus-service-ui) uses a placeholder corporate domain with no public footprint, consistent with a dependency-confusion lure targeting a private internal name. Source comments self-label the file as [PoC] Dependency confusion payload — AUTHORIZED TESTING ONLY and tag reports with poc: 'dependency-confusion-npm' , but the runtime behavior is indistinguishable from a real attack — any installer that resolves this name from the public registry has its CI/developer credentials exfiltrated and an attacker-controlled binary executed, regardless of the author's stated intent.

Source: amazon-inspector (02414b019347c91f59a506d88dffc19306c7c287936df0d42327ad6b32eb0bf2)