deps_version_changed=[@aws-sdk/client-kinesis: 1.0.0-beta.3 → 1.0.0-gamma.8, @aws-sdk/client-personalize-events: 1.0.0-beta.3 → 1.0.0-gamma.8, @aws-sdk/client-pinpoint: 1.0.0-beta.3 → 1.0.0-gamma.8, @aws-sdk/client-firehose: 1.0.0-beta.3 → 1.0.0-gamma.8] with maintainer change on package with 1,585,915 weekly downloads
Security Alerts
Signals from Shoulder's ecosystem analysis — new packages scanned, risk changes detected, and vulnerabilities surfaced.
Alerts are generated when Shoulder analyzes a package and detects signals worth reviewing. Each alert links to a full threat briefing.
Payload delivery from suspicious source: IOC URL + execution capability
Payload delivery from suspicious source: IOC URL + execution capability
Install-time payload delivery: remote fetch + execution during install
- matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
- Install hook spawns dynamic / forked-detached shell — dropper attribution
- Install hook sends traffic to flagged target (raw IP / paste site / tunnel) — dropper
- Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
- Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Install hook + credential reads + network to suspicious target (raw IP / paste site / tunnel) — credential stealer; not a legitimate cloud SDK
- Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
- Install hook + credential-file reads + network — credential stealer shape (scopes may be install or runtime; install hook can transitively reach runtime caps)
- Sensitive file access with network egress — credential exfiltration pattern
- Dynamic code evaluation with network access — potential code injection or exfiltration
Payload delivery from suspicious source: IOC URL + execution capability
- Dynamic / forked-detached shell paired with code obfuscation — runtime dropper attribution (no install hook required)
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
- Install hook spawns dynamic / forked-detached shell — dropper attribution
- Install hook sends traffic to flagged target (raw IP / paste site / tunnel) — dropper
- Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
Payload delivery from suspicious source: IOC URL + execution capability
Namespace-coordinated publish burst with install-time entry point
Behavioral change: new process control without corroborating signals
Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Dynamic code evaluation with network access — potential code injection or exfiltration
Payload delivery from suspicious source: IOC URL + execution capability
- Sensitive file access with network egress — credential exfiltration pattern
Payload delivery from suspicious source: IOC URL + execution capability
Payload delivery from suspicious source: IOC URL + execution capability
Install-time payload delivery: remote fetch + execution during install
- matched: verdict_payload_delivery_and_execution, verdict_suspicious_install_time_execution
Publisher's current primary email is on a known burner / anonymous-by-design provider — ongoing hijack-shape state (persists across versions; companion to the transition signal)