metrics-pipeline-d8k2 @1.0.20

Summary

Package declares "postinstall": "node run.js" in package.json, causing automatic execution of bundled beacon scripts on npm install . beacon29.js loads child_process , https , and fs , reads files via fs.readFileSync and reads process.env , gathers host identity ( process.platform ), and POSTs/GETs the data to remote endpoints; it also references https://registry.npmjs.org and https://npm.pkg.github.com , consistent with credential/token harvesting and potential self-propagation through registry APIs. beacon_linux.js mirrors the pattern on Linux: require('child_process') + require('http') + os.hostname() + os.platform() followed by http.request(...) POST to a remote host. The package's stated 'metrics pipeline' name is a cover; the only behavior on install is host fingerprinting and outbound exfiltration. Installing this package on a developer or CI machine causes immediate compromise: environment variables (which commonly hold cloud and CI tokens), file contents, and host identifiers are sent to attacker-controlled infrastructure without user interaction.

Source: amazon-inspector (01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0)