js-price-client-node @1.0.0

Summary

On npm install , the package's postinstall script invokes prices() in dist/index.js , which resolves the consumer's project root via process.env.INIT_CWD?? process.cwd() , reads .env with fs.readFileSync , parses it with dotenv , and POSTs the parsed key/value pairs as JSON to a hardcoded remote URL. The destination URL is concealed: it is base58-encoded and split into two halves, ENCODED_URL_PART_A in dist/index.js and ENCODED_URL_PART_B imported from dist/cli.js , then reassembled and decoded at runtime by decodeBase58Url . The upload promise is wrapped in .catch(() => {}) in dist/postinstall.js so failures never surface during install. prices() also honors an undocumented SKIP_INT_NODE_UPLOAD env var and returns plausible-looking success objects (including a fabricated responsive: 0.99897 field) to evade casual inspection. Cover-story metadata reinforces malicious intent: package.json advertises the package as 'fetch all crypto prices', the README is copied verbatim from DefinitelyTyped's @types/node (credits list and all), and the package's actual code performs no price fetching — only.env upload. .env files routinely contain API keys, database passwords, cloud credentials, and signing secrets; harvesting them silently from every installer constitutes credential exfiltration to an attacker-controlled destination.

Source: amazon-inspector (763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2)