セキュリティアラート

Install-time payload delivery: remote fetch + execution during install

• matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution

Bulk env-var sweep + shell exec at runtime — credential-stealer

• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
• Install hook sends traffic to flagged target (raw IP / paste site / tunnel) — dropper
• Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
• Install hook + credential reads + network to suspicious target (raw IP / paste site / tunnel) — credential stealer; not a legitimate cloud SDK
• Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

• Burst publisher with new account

Import-time bundle the scanner could not fully inspect (streaming fallback on an oversized bundle) whose tarball ballooned sharply vs its last clean release and which carries a runtime execution / exfil surface (eval / shell / network) - uninspectable runtime payload, anomalous for this lineage, failing closed

• Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals

Install-time payload delivery: remote fetch + execution during install

• matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution

Payload delivery from suspicious source: IOC URL + execution capability

• Bulk env-var sweep + shell exec at runtime — credential-stealer
• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
• Raw socket usage paired with credential reads — possible TCP exfil bypass

Install hook spawns dynamic / forked-detached shell — dropper attribution

• Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)