ts-bn-lint @5.8.0

Summary

ts-bn-lint@3.1.19 is a credential harvester disguised as a TypeScript/lint utility. index.js defines decodeStr which base64-decodes all operationally sensitive strings, including the C2 endpoint https://data-stream.space/api/v1 (index.js:32) and the target filename patterns .env , config.toml , Config.toml , config.json , id.json , and env (index.js:13-18). The exported from_str function recursively walks process.cwd() collecting files matching those patterns, then gathers shell histories by invoking execSync("bash -c history") and execSync("zsh -c 'fc -l -1000'") (index.js:101, 117), tagging each upload with the local username and IP for victim correlation before POSTing to the C2 endpoint. The id.json target is the standard Solana CLI keypair file; .env and config.* typically contain API keys and database credentials. The package's own test.js calls from_str() unconditionally, so npm test triggers exfiltration; any consumer who requires the package and calls the exported function does the same. Package metadata is empty (no author, no description) and the name impersonates the TypeScript/lint tooling namespace.

Source: amazon-inspector (e591f0b407bc22e3abe20da9207df2d2922f75d98ab97aaa62557ca88b8fc349)