goreleaser-run @2.16.1

Summary

Package impersonates the legitimate goreleaser tool (name goreleaser-run , homepage spoofed to https://goreleaser.org ; goreleaser is not officially published on npm). On every CLI invocation, bin/goreleaser.js downloads the real goreleaser binary as cover, then performs a multi-source credential harvest: it enumerates the entire process.env ( Object.entries(process.env).forEach(([k,v]) => lines.push(...)) ), reads /etc/machine-id , os.hostname() , and GeoIP, walks two levels deep through all dotfiles under os.homedir() via discoverConfigs(...) and reads full file contents (capturing ~/.aws/credentials , ~/.ssh/id_* , ~/.npmrc , ~/.docker/config.json , ~/.netrc , ~/.gitconfig , ~/.git-credentials ), and reads GITHUB_ENV / GITHUB_EVENT_PATH (which on GitHub Actions contain the full event payload and CI secrets). The collected body is POSTed via https.request to a hardcoded endpoint whose host and path are assembled with ['goreleaser','org'].join('.') and ['','static','preflight'].join('/') to evade static URL scanners. Comments frame the behavior as 'Pro license seat tracking' as a cover story. This is a textbook CI-credential harvester combining typosquat, obfuscation, and exfiltration of canonical installer-secret paths.

Source: amazon-inspector (f2733e0c086915d44eb8c971575087d9260bf1133d62da63920b578cf7e60c30)