@dsft/ft-element @2.5.9

Summary

On npm install , the package's preinstall hook ( preinstall: node index.js in package.json) executes index.js, which reads process.env.INIT_CWD , derives the installing project's directory name via path.basename() , and POSTs a JSON beacon {pkg, timestamp, transport, project} to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/e51c2215-3fa8-48f1-ad64-1cf792e0cccc . The package is published under the @dsft scope and self-describes as a dependency-confusion PoC ( description: Security PoC for Bug Bounty ; index.js comment: Harmless dependency confusion PoC ). Any build pipeline that expects a private @dsft/ft-element package and resolves to this public version will silently leak the project's directory name — which typically equals the private package/repo name — to a third-party endpoint, confirming a successful dependency-confusion takeover target. Installers receive no disclosure or consent. Although the author frames this as harmless research, the mechanism (unconditional install-time beacon containing host-identifying context to an attacker-controlled URL) is a supply-chain attack against any installer the scope collision affects.

Source: amazon-inspector (7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1)