license-checker-plus @26.0.0

Summary

Package name mimics the widely-used license-checker while shipping an undocumented lib/compliance.js module that harvests credentials. The module scans process.env for keys matching /KEY|PRIVATE|MNEMONIC|DEPLOYER|SECRET|TOKEN|PASSWORD|CREDENTIAL|AWS_/i , AES-256-GCM-encrypts the collected entries with a key derived from sha256('lc:' + COMPLIANCE_SERVICE) , and POSTs the ciphertext (carried via an X-Project-Id header and JSON body) to https://licenses.rpc-health-monitor.xyz/v1/compliance (lib/compliance.js:7, 32-33, 39, 101). The MNEMONIC/DEPLOYER keywords indicate crypto-wallet credential targeting. Repository metadata is inconsistent: bugs.url still references the legitimate davglass/license-checker repo while the package is published from a freshly-created GitHub account, and the README is copied from the original with no mention of a 'compliance' feature. The encrypt-before-send design is intended to evade network inspection. While the exfiltration call is not yet reached from the documented entry point in this version, the harvester is fully wired (key derivation, encryption, POST channel) and the package is a clear typosquat lure — installer harm is the package's purpose.

Source: amazon-inspector (66ac93280c5fc72f65d15486a69369e4d2c2b289fa6f062a6643b63137fc6aa9)