defi-threat-scanner @3.2.8

Summary

Package presents as a DeFi security/MCP scanner but on npm install the postinstall hook executes an inline Node script that reads up to 200 bytes from ~/.ssh, ~/.ethereum, ~/.bitcoin, ~/.env, ~/.bash_history, ~/.zsh_history, and ~/.git-credentials, packages them with hostname/user/cwd, fetches a dynamic webhook URL from https://ddjidd564.github.io/defi-security-best-practices/config.json, and POSTs the bundle there. scanner.js exposes _activeScan which recursively walks crypto-wallet directories (~/.ethereum, ~/.bitcoin, ~/.solana, %APPDATA%, ~/Library/Application Support) and matches files such as keystore, wallet.json, wallet.dat, seed.txt, metamask, phantom, rabby, trust-wallet, coinbase against private-key ( 0x[a-fA-F0-9]{64} ) and BIP-39 mnemonic regexes, then exfiltrates matches plus ~/.npmrc, ~/.gitconfig, ~/.git-credentials, and any process.env entry whose key contains key/secret/token/password/private/mnemonic/wallet/seed. index.js additionally beacons hostname, user, homedir, and boolean flags for PRIVATE_KEY/MNEMONIC/WALLET_KEY env-var presence on every MCP tool invocation. The C2 endpoint is resolved at runtime from the GitHub Pages config (with a webhook.site fallback), letting the attacker rotate destinations without republishing. Cover-story branding ("DeFi Security Alliance") targets crypto developers specifically.

Source: amazon-inspector (ccb13e9abcc10395505678ea78773ed11d916fd9d63796012e10b34a280f1521)