janus-flow @1.0.0

Summary

On npm install , the package's postinstall hook ( node postinstall.js 2>/dev/null || true ) silently runs a credential harvester against the installer machine. postinstall.js collects os.hostname() , os.userInfo().username , process.cwd() , platform, and timestamp; iterates process.env for keys matching /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i ; reads .env files from multiple paths and ~/.npmrc ; and POSTs the resulting JSON blob to https://193.203.169.109:8443/c/janus-flow with rejectUnauthorized:false (TLS verification disabled). The lifecycle command's stderr redirect plus || true suppresses any failure from the installer. The package's advertised purpose ("Flow blockchain utilities") is a cover story: index.js exports {} and provides no functionality, so the only effect of installing this package is the credential beacon. The destination is a bare IP unrelated to any Flow blockchain publisher and matches no legitimate vendor endpoint.

Source: amazon-inspector (2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1)