ledgerflow-deploy-utils @1.0.1
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 12:56 PM UTC
OSV ID
MAL-2026-6591
Ecosystem
npm
Summary
On npm install, the package's postinstall script queries the AWS instance metadata service (IMDSv1) at 169.254.169.254 for the attached IAM role and POSTs the result, along with an IMDS-reachability probe, over plain HTTP to a hardcoded bare IP (54.226.194.239:80/chain3). The published library surface (index.js) only exports two no-op console.log stubs named validate/deploy, with no real functionality — the entire effective behavior is the install-time reconnaissance against AWS-hosted installers and CI runners. The combination of a placeholder API, a generic deployment-utility name suggesting an internal/private package, and install-time recon to a hardcoded bare-IP C2 matches the dependency-confusion / internal-name-squat pattern targeting corporate build systems, where exposed IAM role names enable follow-on credential abuse against the installer's cloud environment.
Source: amazon-inspector (5f0097d19be676ac30ff79dffcff38f128873c80115a8a150c3eceff0422aa93)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.