zest-product @99.9.0

Summary

On npm install , postinstall.js collects host identity and environment data (os.hostname(), username, process.cwd(), process.env values, plus shelled-out whoami / hostname / id via child_process.execSync) and ships it over the network. Outbound destinations include https://app.interactsh.com (an out-of-band interaction service commonly used for blind-exfiltration / SSRF beacons) and http://lululemon.jfrog.io (a JFrog endpoint referenced by hardcoded URL — consistent with a dependency-confusion attack targeting Lululemon's internal package namespace). Collected data is base64-encoded (Buffer.from(...).toString('base64')) before transmission via https.request. index.js additionally constructs a curl -X POST command interpolating $(whoami) , $(hostname) , and id and runs it via child_process.exec. The 99.9.0 version number combined with the lululemon.jfrog.io reference is the canonical dependency-confusion fingerprint: publish a public package with a name matching an internal one and a high version to win resolution. Installer harm: identity, environment variables, working-directory contents, and internal-network reachability data are leaked to attacker-controlled infrastructure on every install.

Source: amazon-inspector (c9081ad708b658c1bd56299e401ca6a764cc9137d99573bc922d38a7381cc30d)