deps_version_changed=[@aws-sdk/client-kinesis: 1.0.0-beta.3 → 1.0.0-gamma.8, @aws-sdk/client-personalize-events: 1.0.0-beta.3 → 1.0.0-gamma.8, @aws-sdk/client-pinpoint: 1.0.0-beta.3 → 1.0.0-gamma.8, @aws-sdk/client-firehose: 1.0.0-beta.3 → 1.0.0-gamma.8] with maintainer change on package with 1,585,915 weekly downloads
सुरक्षा अलर्ट
Shoulder के इकोसिस्टम विश्लेषण से सिग्नल — नए पैकेज स्कैन किए, जोखिम परिवर्तन पहचाने, और कमज़ोरियां उजागर हुईं।
अलर्ट तब उत्पन्न होते हैं जब Shoulder किसी पैकेज का विश्लेषण करता है और समीक्षा के योग्य सिग्नल पहचानता है। प्रत्येक अलर्ट पूर्ण खतरा ब्रीफिंग से जुड़ता है।
Payload delivery from suspicious source: IOC URL + execution capability
Payload delivery from suspicious source: IOC URL + execution capability
Install-time payload delivery: remote fetch + execution during install
- matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
- Install hook spawns dynamic / forked-detached shell — dropper attribution
- Install hook sends traffic to flagged target (raw IP / paste site / tunnel) — dropper
- Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
- Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Install hook + credential reads + network to suspicious target (raw IP / paste site / tunnel) — credential stealer; not a legitimate cloud SDK
- Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
- Install hook + credential-file reads + network — credential stealer shape (scopes may be install or runtime; install hook can transitively reach runtime caps)
- Sensitive file access with network egress — credential exfiltration pattern
- Dynamic code evaluation with network access — potential code injection or exfiltration
Payload delivery from suspicious source: IOC URL + execution capability
Namespace-coordinated publish burst with install-time entry point
Behavioral change: new process control without corroborating signals
Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Dynamic code evaluation with network access — potential code injection or exfiltration
npm main entrypoint contains side-effecting code AFTER its last module.exports / export default — runs silently on require() and reaches a dangerous capability (install-hook bypass)
Payload delivery from suspicious source: IOC URL + execution capability
- Sensitive file access with network egress — credential exfiltration pattern
Payload delivery from suspicious source: IOC URL + execution capability
Payload delivery from suspicious source: IOC URL + execution capability
Install-time payload delivery: remote fetch + execution during install
- matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution
Publisher's current primary email is on a known burner / anonymous-by-design provider — ongoing hijack-shape state (persists across versions; companion to the transition signal)