webservices.rest-utils @1.0.8

Summary

package.json declares both preinstall and postinstall hooks that execute index.js , which exfiltrates installer data to a base64-encoded Cloudflare Worker destination ( openmrs-sol-dev-v2.lapxa354.workers.dev ). The payload includes hostname, username, network interfaces, /etc/resolv.conf,.git/HEAD, ~40 CI/CD environment variables (GITHUB_*, GITLAB_*, AWS_*, CIRCLE_*, BUILDKITE_*, VERCEL_*, etc.), recursively walked package.json metadata,.npmrc registry/scope hints, and presence indicators for ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker, ~/.npmrc, ~/.gitconfig, shell histories. When cloud env-var probes match, the script contacts the cloud metadata IP (encoded as decimal 2852039166 == 169.254.169.254) to harvest live AWS IMDSv2 IAM tokens, GCP service-account access tokens, and Azure managed-identity tokens — first 40 characters of each are appended to the exfil. It additionally performs DNS reconnaissance against ~25 internal hostnames (kubernetes.default.svc.cluster.local, vault.internal, consul.service.consul, gitlab.local, jenkins.local, ec2.internal, rancher.internal, etc.) for lateral-movement targeting. package.json declares 11 bin aliases — webpack , vite , tsc , eslint , jest , gulp , next , turbo , prettier , tsnode — all pointing at the same malicious index.js , so every subsequent invocation of those common dev commands re-triggers the exfiltrator while forwarding to the real tool to mask the hijack. Obfuscation (base64 destination, decimal-encoded metadata IP, MalekAbuLialaResearch/1.0 cover User-Agent, [Webpack-Debug-MAB-v1] log label) confirms intent.

Source: amazon-inspector (5c9c78a4d0c87def69bbc5337e41a730e7ca6ae898426759915f053dc584581c)