hunsterx-package @7.0.1

Summary

preinstall.js executes a chain of eval(Buffer.from('<base64>','base64').toString()) payloads at npm install time. The decoded payloads collect host identity (os.hostname, os.userInfo, cwd, network interfaces), the full process.env (chunked over DNS if larger than 5KB), the contents of./.npmrc and ~/.npmrc, AWS EC2 instance-identity metadata fetched from IMDSv2 at 169.254.169.254 (account ID, region), and recursive reads of *.env / *.config / *.yaml / *.toml files in the working directory. All collected data is transmitted via https.get and dns.resolve to d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun (a project-discovery Interactsh out-of-band collaborator). postinstall.js additionally performs a DNS callback postinstall-<rand>.d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun to confirm both lifecycle phases ran. The base64+eval wrapping has no functional purpose other than evading static review. Installer impact: any developer or CI runner that performs npm install on this package leaks npm publish tokens (from.npmrc), full environment variables (commonly containing API keys, cloud credentials, and CI secrets), and AWS account/region identifiers to the attacker.

Source: amazon-inspector (32f2430d6e0da9484283d0012a16df0c593ccb5fa2a56ea727bd19ba435f964f)