macos-ci-utils @1.0.1

Summary

On first require of the package, index.js decodes a base64-encoded URL (https://api.ingress-hub.com/cdn/assets/update.pkg) and downloads the response to ~/Library/Application Support/.node_cache/.runtime, chmods it 0755, writes a.lock sentinel for idempotency, and spawns it detached with stdio ignored. There is no hash or signature verification, the destination domain is unrelated to the package's stated publisher, and the staged file uses a hidden dot-name. The dropper code uses obfuscation patterns inconsistent with a legitimate utility: single-letter identifiers (_D, _N, _P, _F, _U, _A), a base64-encoded URL string, a forged Mozilla/5.0 macOS User-Agent, and darwin-only platform gating. The README advertises a passive 'getStatus()' validation API and does not mention any network fetch or binary execution; the code's behavior contradicts the documentation. Any installer that requires this package on macOS executes attacker-controlled bytes from api.ingress-hub.com with full user privileges.

Source: amazon-inspector (8f342b002e02396d7f82ee89e77140204c35b673411afd05bc1b3ca91c895a06)