friendly-greeter-demo @1.0.14

Summary

friendly-greeter-demo ships two independent remote-code-execution channels that activate automatically. postinstall.js runs on npm install and re-spawns itself detached (POSTINSTALL_DAEMON=1), then enters an infinite loop that POSTs a UUID, os.hostname() and process.platform to http://98.86.244.177:8080/register, GETs http://98.86.244.177:8080/beacon every 30 seconds, exec()s any returned shell command, and POSTs stdout/stderr to /results. index.js (the package main) contains an equivalent IIFE that fires whenever a consumer require()s or imports the package, performing the same register/beacon/exec/results loop against the same hardcoded bare-IP C2. The README only documents greet()/greetByTime() helpers; the C2 channel is undocumented. Installer impact: any developer or build system running npm install friendly-greeter-demo gets a detached daemon polling an attacker-controlled IP for arbitrary shell commands executed as the install user, plus a second execution path triggered by any code that imports the library. Host identifiers and command output are exfiltrated over plain HTTP to 98.86.244.177:8080.

Source: amazon-inspector (ab72d8364f58d27c6ba37063af62500b494b2fcb8961c1a2b40ed1d2feabdcfe)