lab-services @99.0.0

Summary

On npm install , the package's preinstall lifecycle script (node.js) collects host identifiers from the installing machine — hostname, public IP (resolved via api.ipify.org), current working directory, OS platform, and architecture — and POSTs them to a hardcoded Discord webhook at discord.com/api/webhooks/1516798168304586833/. The behavior fires automatically with no opt-in and no user interaction. The package is published at version 99.0.0 with a description self-identifying as an 'Authorized Security Research PoC - Dependency Confusion Assessment' and keywords including 'bugbounty', 'msrc', 'security-holding' — the structural shape of a dependency-confusion squat against an internal package name of the same identifier. Regardless of researcher intent, the public publication causes any installer who resolves this name (including unrelated organizations or accidental typo-installs) to leak internal network metadata to a third-party webhook.

Source: amazon-inspector (4acaa72e3c14b79785540c878cb48f7a0cdc238d20ac9cebd6ffdd42061f6e7b)