Bulk env-var sweep + shell exec at runtime — credential-stealer
Sicherheitswarnungen
Signale aus Shoulders Ökosystem-Analyse — neue Pakete gescannt, Risikoänderungen erkannt und Schwachstellen aufgedeckt.
Warnungen werden generiert, wenn Shoulder ein Paket analysiert und überprüfenswerte Signale erkennt. Jede Warnung verlinkt zu einem vollständigen Bedrohungsbericht.
size_delta=2368% from previous version (+14461KB, blast_radius=1,496)
Manifest repository URL points at a popular package's repo but this package's name differs — impersonation
Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
Namespace-coordinated publish burst with install-time entry point
- A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
Namespace-coordinated publish burst with install-time entry point
- A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Dynamic code evaluation with network access — potential code injection or exfiltration
Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Dynamic code evaluation with network access — potential code injection or exfiltration
Suspicious install-time execution: 2+ suspicious signals during install
- Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
Package name too similar to opencode-linux-x64 (1.4M weekly downloads)
Package name too similar to opencode-linux-x64-baseline (1.4M weekly downloads)
Package name too similar to opencode-linux-x64-baseline-musl (1.0M weekly downloads)
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
- Install hook spawns dynamic / forked-detached shell — dropper attribution
- Install hook sends traffic to flagged target (raw IP / paste site / tunnel) — dropper
- Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
Payload delivery from suspicious source: IOC URL + execution capability
Install-time payload delivery: remote fetch + execution during install
- matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution