portal-backend @999.0.0

Summary

On npm install , the package's preinstall hook executes postinstall.js , which enumerates process.env and filters keys matching a broad credential-shaped regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), then bundles those values together with os.hostname() , os.userInfo().username , process.cwd() , and npm registry config into a JSON payload and POSTs it via https.request to 185.130.46.35:8443/collect — a bare IP with no relation to any publisher domain. The source even self-identifies the behavior in a comment ("Exfil CI environment variables on install"). The package itself is hollow: index.js is module.exports = {} , the description is the generic "Internal package," and the version is 999.0.0 — the canonical dependency-confusion shape designed to outrank a private registry's portal-backend and have misconfigured installers fetch this public copy instead. Installing this package on any developer or CI machine immediately ships that machine's CI secrets, deploy tokens, SSH/registry credentials, and host identity to the attacker.

Source: amazon-inspector (c5aca21d0e952f5ba313432cf5d47e41f185d19e65d894a005cce20be90d4985)