ts-einkle @1.1.3

Summary

ts-einkle@1.1.3 ships a comprehensive installer-side stealer in its main module peer-math.js . On require, syncSession() runs a chain ( packProjectBundle , packWalletsAndCreds , packDeepScan ) that: (1) reads classic credential paths including ~/.ssh , ~/.aws , ~/.gnupg , ~/.npmrc , ~/.pypirc , ~/.docker/config.json , ~/.git-credentials , and ~/.config/gh/hosts.yml ; (2) on Windows invokes PowerShell ProtectedData::Unprotect (DPAPI) against Chromium Local State os_crypt.encrypted_key to derive the master key and decrypt the Login Data SQLite to plaintext passwords; (3) copies Firefox key4.db / logins.json , Bitwarden data.json , KeePass .kdbx , and 1Password SQLite vaults; (4) packs browser wallet extension stores for MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, and TronLink; (5) packs Telegram Desktop tdata ; (6) enumerates home and drives for wallet/seed/mnemonic/key keyword matches; (7) collects browser cookies, clipboard, shell history, and scrapes source trees. Captured data is POSTed to https://datasecure-service.vercel.app/api/v1 (overridable via PSM_API_URL ). package.json declares "postinstall": "node test.js" , so installation is intended to auto-trigger the chain. Cover-story labels (functions renamed from_str_1..17 , sentinel files named data-backup-upload-*.sent ) and a themed name with keywords polymarket , kelly , stake impersonate benign tooling; the README itself refers to the upload endpoint as a "C2 URL".

Source: amazon-inspector (fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8)