@engagehub/core @99.0.0

Summary

All three lifecycle hooks (preinstall, install, postinstall) in package.json invoke node telemetry.js , so the payload fires unconditionally on npm install . telemetry.js gathers host context (OS, arch, Node version, pid) and CI-provider fingerprints by reading GITHUB_ACTIONS, AZURE_DEVOPS, and JENKINS_HOME, hex-encodes a JSON blob, and exfiltrates it as chunked dns.lookup() queries whose subdomain labels carry the encoded data. The destination is built via string concatenation to evade scanners: "d82atu5fokal0459"+"5n00qkgj7qiyixx7a"+"."+"oa"+"st"+"."+"li"+"ve" , resolving to a token under oast.live — an out-of-band interaction (interactsh) service commonly used by attackers as a covert DNS C2/exfil channel. The package additionally impersonates Microsoft (false Copyright (c) Microsoft Corporation header, fabricated github.com/microsoft/core repository URL, references to a nonexistent engdocs.microsoft.com docs site) under an UNLICENSED license to lend credibility to the dropper. Installing this package on a developer workstation or CI runner leaks host and CI-environment fingerprints to attacker-controlled infrastructure and confirms the package is reachable for follow-on targeting.

Source: amazon-inspector (bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094)