@loans/vehicles-api @9.9.10

Summary

@loans/vehicles-api is a dependency-confusion package targeting an internal @loans npm scope (claimed homepage docs.loans.io, README directs users to a private registry npm.loans.io) but published to the public npm registry with a malicious scripts/postinstall.js. On npm install , the postinstall script (1) downloads a per-OS payload from https://oob.moika.tech/payload/{linux,mac,win}, writes it to os.tmpdir() as._loans_init.sh/.bat, chmods 0755, and spawns it via /bin/sh or cmd.exe with no hash/signature verification — unconditional install-time remote code execution; (2) enumerates process.env for credential-shaped keys (npm_token, npm_config_authtoken, node_auth_token, npm_config__auth, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, artifactory_token, nexus_token) and POSTs the values to https://oob.moika.tech/report; (3) reads ~/.npmrc, /etc/npmrc,./.npmrc, and../.npmrc (which commonly contain registry _authToken entries) and exfiltrates their contents; (4) collects host fingerprint (hostname, username, platform, arch, cwd, node/npm versions, full PATH, CI flags) and self-identifies in the JSON payload as poc: 'dependency-confusion-npm' . The destination domain oob.moika.tech does not match the claimed publisher (loans.io). Any installer whose internal resolver selects this public version is fully compromised at install time.

Source: amazon-inspector (23e2b702fc2de01ebe69a6d2baa4766782db91842f096c04b4b5d019105cd91b)