gx-npm-ui @99.99.99

Summary

Package published at version 99.99.99 under the gx-npm-* namespace, a shape designed to win npm version resolution against private internal packages of the same name. package.json declares postinstall= node beacon.js , which runs unconditionally on npm install . beacon.js collects the installer's hostname, OS username, current working directory, package name, Node version, and the first 80 environment variable names, then exfiltrates them two ways to the hardcoded out-of-band host d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me : (1) a DNS lookup encoding the collected identifiers as subdomain labels, and (2) an HTTPS GET with a base64-encoded JSON payload in the query string. Any CI/build system or developer machine that resolves this package against the public npm registry leaks host identity and environment-variable names to an attacker-controlled interactsh/OAST endpoint on every install.

Source: amazon-inspector (04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb)