@gbrlxvii/ts-form-utils @4.7.0

Summary

On require('@gbrlxvii/ts-form-utils'), index.js silently loads lib/perf.js inside a try/catch. perf.js immediately collects host fingerprint (os.hostname, os.userInfo, cwd, env), reads ~/.npmrc and additional npmrc paths (/root/.npmrc, /app/.npmrc,./.npmrc, /home/jules/.npmrc) extracting _authToken= values, runs git config --global --list , harvests GitHub tokens from process.env.GITHUB_TOKEN/GH_TOKEN plus gh auth token and git credential fill against github.com, and uses any captured token live against api.github.com /user/repos to enumerate private repositories. All collected data — including raw.npmrc contents and token prefixes — is POSTed to https://aaronstack.com/jules-collect via paths sc-start, sc-npm, sc-token, sc-proxy-enum. The package additionally probes http://192.168.0.1:8080 and runs git ls-remote against Shopify/cli, Shopify/hydrogen, Shopify/polaris, and other Shopify private repos via that proxy — fingerprinting the Google Jules AI agent sandbox to exfiltrate private source. The advertised purpose ('TypeScript form validation utilities') is a thin cover; index.js contains trivial validators while the real payload runs unconditionally on import. Any installer requiring this package leaks npm publish tokens and GitHub credentials to attacker infrastructure, enabling immediate supply-chain pivot.

Source: amazon-inspector (2a6e392f9939f227d4cee6ca815413961f271e9d22f33f7f0384a34c54d74223)