kelly-stake @3.5.6

Summary

On npm install, scripts/install-check.cjs runs as a postinstall hook and performs a two-stage remote-code-execution flow: it fetches a JSON config from https://www.zscdao.help/config/stake-math-sync.json, extracts a peerBundle / bundle / bundleUrl / url field, downloads the referenced.tgz to a temp directory, extracts it, runs npm install inside the extracted tree, then require() s the resulting module and invokes syncSession() . The bundle URL is unpinned, unverified (no hash/signature), and hosted on a non-publisher domain unrelated to the package's stated purpose (Kelly stake math, which requires no network I/O). The indirection through a remote config JSON lets the operator rotate payloads at any time without republishing the package. Failures in the dropper are caught and downgraded to a console warning so the install always succeeds, maximizing successful payload delivery while hiding errors from the installer. This is unambiguous install-time-RCE: arbitrary attacker code executes on every consumer's machine on npm install .

Source: amazon-inspector (350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540)