MAL-2026-5461

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (405cf847121f4bfed32bc5679a40b64c1338b142af75823ef9583944a7ae7b5a)

On npm install (via the prepare lifecycle hook and many other lifecycle aliases) and on require(), index.js performs broad reconnaissance and exfiltration of the installer's environment. It collects hostname, username, architecture, working-directory tree, network interfaces, /etc/resolv.conf, process list,.git/HEAD, UID/GID, project package.json metadata, ~/.npmrc registry/scope configuration, the developer's git identity (via git config --global user.email), CI/CD environment variables (GITHUB_*, GITLAB_*, AWS_*, CIRCLE_*, etc.), and the presence of ~/.ssh, ~/.aws, ~/.kube. When running on a cloud instance it queries the IMDS endpoint at 169.254.169.254 (stored as the decimal-encoded host 2852039166), obtains an IMDSv2 token, fetches the IAM role and temporary STS credentials, and includes the first 40 characters of the access token in the payload; equivalent paths exist for Azure and GCP metadata. It also performs DNS reconnaissance against internal-only hostnames (kubernetes.default.svc.cluster.local, vault.internal, consul.service.consul, gitlab.local, jenkins.local, redis.internal, etc.) to map the victim's internal network. Collected data is base64-encoded, fragmented, and exfiltrated via chunked HTTPS GET requests to momo-rest.lapxa354.workers.dev (a Cloudflare Workers C2 endpoint), with the destination obscured via Buffer.from("bW9tby1yZXN0LmxhcHhhMzU0LndvcmtlcnMuZGV2", "base64").toString() at index.js:43. The package additionally squats common build-tool command names by declaring bin entries for webpack, vite, tsc/tsnode, jest, eslint, gulp, next, turbo, and prettier — all aliased to index.js — and spawns the real local tool (e.g. webpack-cli) afterwards to mask the malicious behavior when invoked via PATH or npx.