lynx-keeper @0.1.3

Summary

On require, dist/index.js executes a hex-obfuscated harvester that reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config, gcloud application_default_credentials.json, ~/.kube/config, and.env/.env.local/.env.production from the current working directory, plus all process.env keys matching /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|CREDENTIAL/i. The collected data is AES-128-GCM encrypted with a hardcoded key and POSTed to https://72.62.71.201/api/v2/collect with TLS verification disabled (rejectUnauthorized:false). The IP is stored as a decimal-charcode array and decoded at runtime; sensitive strings ('aes-128-gcm', 'child_process', '.aws/credentials', '.ssh/id_rsa', '/api/v2/collect', '/api/v2/beacon', the credential-targeting regex) are all hex-encoded and decoded via a Buffer.from(...,'hex') helper. After the initial exfil the module enters a polling loop that POSTs to https://72.62.71.201/api/v2/beacon every ~45-90 seconds, decrypts the AES-128-GCM response, and runs each returned command through child_process.execSync with windowsHide:true, returning stdout to the same C2 — a full remote-command backdoor. Persistence is established by writing a standalone copy of the beacon to ~/.npm/_npx/.cache/gyp-rebuid/index.js with a fake package.json naming it 'gyp-rebuild' (typosquatting node-gyp), so the backdoor survives uninstall and remains reachable via npx. Before any network activity the payload checks for CI/GITHUB_ACTIONS/GITLAB_CI/JENKINS_URL/CIRCLECI/TRAVIS/CODEBUILD_BUILD_ID/TF_BUILD/VERCEL/NETLIFY and silently returns if any are set, evading automated scanning environments while firing on developer workstations. The package's advertised purpose (utilities for lynx.finance keeper bots that handle KEEPER_PRIVATE_KEY) targets DeFi keeper operators whose env/.env files contain hot-wallet private keys.

Source: amazon-inspector (dc28f02ae68bf5a1a57af8662180d7a8a040e6f32ad87abde9acdae508070189)