gx-npm-lib @99.99.99

Summary

Package published at version 99.99.99 under a generic name ( gx-npm-lib ) — the canonical dependency-confusion shape used to overshadow internal packages in CI version resolution. The postinstall lifecycle script runs node beacon.js , which collects installer metadata (package name, os.hostname() , os.userInfo() username, process.cwd() , the names of process.env variables, and Node version) and exfiltrates it via two channels to the hardcoded attacker-controlled OAST domain d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me : (1) a DNS lookup encoding pkg.host.user as subdomains, and (2) a base64-encoded HTTPS GET to https://d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me/<pkg>?d=<base64> . The package self-describes as a 'security-research placeholder' for a dependency-confusion PoC, but that self-label does not constitute installer consent — npm install in any environment where this package resolves (CI for an internal gx-npm-lib , or a developer mistyping) leaks host/user/cwd/environment inventory to the attacker's OAST collector. Multi-channel (DNS + HTTPS+base64) exfiltration to a hardcoded interactsh-style domain on a default install is a textbook active supply-chain attack.

Source: amazon-inspector (e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e)