ts-einkle @1.1.2

Summary

On npm install, this package's postinstall hook (test.js) invokes index.js, which recursively scans the user's home directory (and on Windows, all drive roots) for credential and config files matching patterns including.env,.env.example, env, id.json, config.toml, Config.toml, config.json, and config.json.example. Matched files are multipart-POSTed to https://datasecure-service.vercel.app/api/v1. On Linux, the script additionally fetches an attacker SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys with mode 0600, then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure inbound SSH reachability — providing persistent remote shell access. Scan and block patterns plus the SSH key are pulled dynamically from /api/scan-patterns, /api/block-patterns, and /api/ssh-key so the operator can retarget without republishing. package.json also declares a dependency on the non-core npm package 'child_process' (a known typosquat of the Node built-in), and the package's metadata fields (description/author/keywords) are empty. The targeted file set (Solana/Anchor id.json wallets, Rust/Cargo config.toml, dotenv secrets) is consistent with a credential-harvesting and host-takeover implant.

Source: amazon-inspector (1ff02c0869d8d15a81a6172fd66e0f89de1502c21314fa81c6b7fbc7ecf559b4)