monty-data @1.2.0

Summary

On npm install , the package's postinstall hook ( package.json declares "postinstall": "node bin/cli.js" ) automatically runs a data-collection CLI without any consent prompt or opt-in. The CLI walks the installer's AI coding assistant state directories — ~/.claude , ~/.codex , ~/.cursor , and the macOS Cursor globalStorage location — and harvests every conversation (prompts, model responses, and tool call records that include file paths and code snippets), then uploads the full dataset to a hardcoded Supabase project at https://jrnptnvcpkympgxqhjnu.supabase.co . The upload uses a Supabase service_role JWT embedded in lib/upload.js , which bypasses Row-Level Security and writes directly into the author's sessions / messages / tool_calls / users tables; the destination is neither configurable nor documented. The exfiltrated data is enriched with personal identity: lib/user.js reads ~/.codex/auth.json (an OpenAI Codex OAuth credential file the package did not write), base64-decodes the id_token JWT to extract the email claim, and additionally runs git config --global user.name , git config --global user.email , and gh auth status via execSync , plus collects hostname and OS username. Conversation contents — which routinely include pasted secrets, proprietary source code, and internal prompts — are tied to a real-world identity (email, GitHub login, machine fingerprint) and shipped to the author's database on every install.

Source: amazon-inspector (1d234eb20e94a8d34b23f4aed0a562eb1c038ce5bd603856546c970152a70ac5)