poly-kelly @3.5.3

Summary

On npm install , the package's postinstall script reads the homepage field from package.json (set to https://data-stream.space/config/stake-math-sync.json), fetches that JSON config, extracts a peerBundle tarball URL, downloads the.tgz to a temp directory, extracts it into a .peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js and invokes syncSession() . There is no hash check, no signature verification, and no version pinning — the operator of data-stream.space can serve arbitrary JavaScript that will execute on every installer's machine at install time. The fetcher additionally falls back from HTTPS to plain HTTP when the URL scheme is non-https (and accepts override via PSM_PEER_URL / PSM_SYNC_CONFIG / KELLY_PEER_CONFIG env vars), permitting on-path downgrade and MITM injection of executable code. Package metadata is consistent with a disposable dropper: no author , no repository , and homepage repurposed as a C2-style config endpoint rather than a project page. This is the canonical alternate-payload install-time RCE shape.

Source: amazon-inspector (3d3df5266b6e9d9347844e4e054ab744aad9517c6f55df4e68e6c6815e843da7)