@service-user-notifications/set_notifications_not_removable @9.9.10

Summary

On npm install , scripts/postinstall.js fetches a platform-specific binary from https://oob.moika.tech/payload/{linux|mac|win}, writes it to a hidden temp file, chmods 755, and spawns it via /bin/sh or cmd.exe — unconditional remote code execution on the installer's machine from an attacker-controlled, non-publisher domain. The same script then enumerates environment variables for tokens (npm_token, npm_config_authtoken, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, artifactory_token, nexus_token, node_auth_token), reads ~/.npmrc, /etc/npmrc, and the cwd.npmrc, and bundles host fingerprint data (hostname, username, platform, cwd, PATH, node/npm versions, CI detection, private-registry indicator) into a JSON report POSTed to https://oob.moika.tech/report. The package name (@service-user-notifications/set_notifications_not_removable) and the report field poc: 'dependency-confusion-npm' indicate a dependency-confusion attack targeting installs that resolve internal-looking scopes against the public registry. A self-labeled 'authorized testing' comment does not change the impact on any third-party installer who resolves this package.

Source: amazon-inspector (a890f1cd8313de802c1425ca5603b7d1fabaf84cb1e47b582a4633dae34ccf14)