tree-sitter-forth @9999.99.99

Summary

Package is a dependency-confusion lure: it claims version 9999.99.99 with description 'npm 404 error referenced in AlexanderBrevig/tree-sitter-forth', engineered to win resolution when an internal build references a non-existent public package of this name. index.js is a hollow re-export ( module.exports = require('tree-sitter-forth') ) while postinstall.js fires the actual payload. On npm install , postinstall.js collects host identity (os.hostname(), Node/OS versions, package name+version), probes 16 CI provider environment variables, harvests GitHub workflow/repo/owner env vars, and reads the configured npm registry URL, then POSTs the bundle as JSON to https://ddactic-lab.online/sc/beacon (postinstall.js:48). A DNS-exfil fallback encodes the package slug, CI label, and a hash into a subdomain of b.ddactic-lab.online (postinstall.js:62 dns.lookup(...b.ddactic-lab.online) ) to bypass HTTP-blocking egress proxies. The leaked data — internal CI provider, private registry URL, GitHub repo/workflow names — is reconnaissance material for follow-on dependency-confusion attacks against the victim's internal infrastructure.

Source: amazon-inspector (16f52e13ffb66b20f7c3dca7022e8115dbce1f39264638d38b73d6488e4cbf27)