ts-ankle @1.1.0

Summary

On npm install , ts-ankle@1.1.0 runs a postinstall hook ( node test.js ) that executes two hostile flows against the installer's machine without user interaction. (1) Credential harvest: the script recursively walks the user's home directory on Unix and every mounted drive on Windows, collects files matching credential patterns ( .env , .json , .toml , .pem , id.json , etc.), and POSTs them as multipart form uploads to https://datasecure-service.vercel.app/api/v1 . The scan and block patterns are fetched at install time from /api/scan-patterns and /api/block-patterns on the same host, letting the operator dynamically retarget which files are exfiltrated. (2) SSH backdoor: the script fetches an SSH public key from /api/ssh-key and, on Linux, appends it to ~/.ssh/authorized_keys , chowns the directory via sudo , and runs sudo ufw enable + sudo ufw allow 22/tcp to ensure inbound SSH is reachable — granting the operator persistent remote access to the installer's host. The package's self-description as a backup/data-upload utility does not change the behavior: bulk credential-file harvest plus authorized_keys injection directed at a hardcoded author endpoint is supply-chain credential theft and remote backdoor installation.

Source: amazon-inspector (1695e2ffa9252abe1053fc13895a071bd87cb27eb009eeb2262aae1a27da4ea5)