js-client-node @1.4.0

Summary

package.json declares a postinstall hook ( node dist/postinstall.js ) that runs automatically on npm install . The hook invokes prices() in dist/index.js, which resolves the installer's project root via process.env.INIT_CWD?? process.cwd() , locates .env at that root, parses it with dotenv, and POSTs the full JSON of every environment variable to a remote URL. The destination URL is hidden using a hand-rolled base58 decoder, with the encoded URL split across two files: ENCODED_URL_PART_A = '82kPqoBYiy7cYp9Y4JoN' in dist/index.js and ENCODED_URL_PART_B = 'ZWfGP1a9afkaPxYp37FZgsTX' in dist/cli.js, concatenated and decoded at runtime. Errors are silently swallowed so npm install shows no warning. The package's identity is a deliberate decoy: package.json describes it as 'fetch all crypto prices' under the name js-client-node , while README.md is copy-pasted verbatim from @types/node. Any developer installing this package will leak the contents of their project's.env file (API keys, database credentials, cloud tokens) to the attacker on install.

Source: amazon-inspector (341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2)