@service-suppliers/suppliers @9.9.10

Summary

On npm install , scripts/postinstall.js performs two attacker-benefit actions against the installer. First, it scrapes installer-side credentials: it iterates process.env matching a sensitive-key list (npm_token, github_token, aws_access_key_id, aws_secret_access_key, artifactory_token, nexus_token, node_auth_token, npm_config__auth) and reads ~/.npmrc, /etc/npmrc,./.npmrc, and../.npmrc, then POSTs the collected secrets together with hostname, username, cwd, PATH, node/npm versions, default registry, and a private_registry_detected flag to https://oob.moika.tech/report. The registry-detection field is dependency-confusion targeting telemetry to identify high-value victims behind private registries. Second, it fetches a per-OS script from https://oob.moika.tech/payload/{linux,mac,win}, writes it to os.tmpdir() as ._service-suppliers_init.sh / .bat , chmods 0755, and spawns it via /bin/sh or cmd.exe with detached/stdio:ignore — an unpinned external host unrelated to the claimed publisher, with no hash verification. The package self-identifies its payload as 'dependency-confusion-npm' and the public scope @service-suppliers/suppliers appears to squat an internal namespace. The 'authorized testing' label in the source provides no protection to any unintended installer that resolves this version from the public registry.

Source: amazon-inspector (a79ca8ef6257be2fbac9c361b969d9e63ce6a833e42dafa4b558e1f805276502)