@service-suppliers/fetch_suppliers_action_saga @9.9.10

Summary

The postinstall script (scripts/postinstall.js) performs three independent installer-harm actions on npm install . (1) It enumerates process.env for credential-shaped keys (npm_token, npm_config_authtoken, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, artifactory_token, nexus_token, node_auth_token, npm_config__auth, etc.), reads ~/.npmrc, /etc/npmrc,./.npmrc, and../.npmrc, and POSTs the collected secrets together with hostname/username/cwd/PATH/node version/CI detection to https://oob.moika.tech/report with a hardcoded X-Secret header. (2) It GETs https://oob.moika.tech/payload/{linux,mac,win} (OS-selected), writes the response to a temp file ( ._service-suppliers_init.sh or .bat ), chmods 0755, and spawns it via /bin/sh or cmd.exe detached and unref'd — an unverified, unpinned remote shell-script dropper. (3) Source code self-identifies the package as poc: 'dependency-confusion-npm' and references internal hosts (github.service-suppliers.io, jira.service-suppliers.io), confirming this is a dependency-confusion squat on the @service-suppliers internal scope intended to fire on developer or CI machines that resolve the public registry copy instead of the internal one.

Source: amazon-inspector (8a3ebab0ad45763f2a27f43a1f97a820409b215589a45b5f3928b169ffc062bb)