exodus-checkout-signer @99.0.0-canary.1

Summary

exodus-checkout-signer is the unscoped name of the scoped package @exodus/checkout-signer and self-describes (in README and package.json) as a dependency-confusion proof-of-concept targeting installers who follow Exodus's documented install command and drop the scope. The package's main entry throws on require so any caller fails loudly, but on npm install the postinstall script unconditionally runs node src/canary.js , which performs a DNS lookup and an HTTPS GET to 96e03fa6c292469a-172-245-86-254.serveousercontent.com — a Serveo SSH-tunneling endpoint with a raw IP (172.245.86.254) embedded in the subdomain — passing the package name and version as query parameters ( /canary-install?pkg=...&ver=... ). No installer secrets are exfiltrated, but every installation reveals the victim's source IP, timing, and corporate-network egress to an anonymous third-party tunnel operator that is not affiliated with the impersonated Exodus publisher. The combined name-confusion against a top-shelf wallet vendor's documented scope plus install-time beaconing to attacker-controllable infrastructure is a live supply-chain attack regardless of the author's stated 'research' intent.

Source: amazon-inspector (921c5ef246587db452bdb65aae12321f4de868e7882f9550f9b9e32300ae792c)