node-slot @1.0.9

Summary

On npm install , package.json's postinstall hook executes node test.js which invokes code in index.js that performs two distinct attacks on the installer machine. (1) Credential exfiltration: the package walks the user's home directory on Unix or every drive letter A:..Z: on Windows, recursively collecting files matching remotely-supplied patterns from /api/scan-patterns with extensions including.env,.json,.toml,.pdf,.doc,.docx,.xlsx (e.g..env, config.toml, id.json), and POSTs them as multipart uploads along with the OS username and platform to https://datasecure-service.vercel.app/api/v1. (2) SSH backdoor: on Linux, the package fetches an attacker-controlled SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys via fs.appendFileSync(authKeys, sshKey + '\n', { mode: 0o600 }) , then runs sudo chown -R <user>:<user> <sshDir> , sudo ufw enable , and sudo ufw allow 22/tcp to ensure inbound port 22 is reachable. Outbound HTTP requests use a spoofed User-Agent: polymarket-bot/0.1 to appear benign. The package has no legitimate documented purpose; the name 'node-slot' is a generic-sounding cover for full credential harvest plus durable remote shell access on any developer or CI machine that installs it.

Source: amazon-inspector (0d71bcdec983467ab6a47b538e524abc1cdafc98b411761bffb375be17d72009)