MAL-2026-4603

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dc28f02ae68bf5a1a57af8662180d7a8a040e6f32ad87abde9acdae508070189) On require, dist/index.js executes a hex-obfuscated harvester that reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config, gcloud application_default_credentials.json, ~/.kube/config, and.env/.env.local/.env.production from the current working directory, plus all process.env keys matching /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|CREDENTIAL/i. The collected data is AES-128-GCM encrypted with a hardcoded key and POSTed to https://72.62.71.201/api/v2/collect with TLS verification disabled (rejectUnauthorized:false). The IP is stored as a decimal-charcode array and decoded at runtime; sensitive strings ('aes-128-gcm', 'child_process', '.aws/credentials', '.ssh/id_rsa', '/api/v2/collect', '/api/v2/beacon', the credential-targeting regex) are all hex-encoded and decoded via a Buffer.from(...,'hex') helper. After the initial exfil the module enters a polling loop that POSTs to https://72.62.71.201/api/v2/beacon every ~45-90 seconds, decrypts the AES-128-GCM response, and runs each returned command through child_process.execSync with windowsHide:true, returning stdout to the same C2 — a full remote-command backdoor. Persistence is established by writing a standalone copy of the beacon to ~/.npm/_npx/.cache/gyp-rebuid/index.js with a fake package.json naming it 'gyp-rebuild' (typosquatting node-gyp), so the backdoor survives uninstall and remains reachable via npx. Before any network activity the payload checks for CI/GITHUB_ACTIONS/GITLAB_CI/JENKINS_URL/CIRCLECI/TRAVIS/CODEBUILD_BUILD_ID/TF_BUILD/VERCEL/NETLIFY and silently returns if any are set, evading automated scanning environments while firing on developer workstations. The package's advertised purpose (utilities for lynx.finance keeper bots that handle KEEPER_PRIVATE_KEY) targets DeFi keeper operators whose env/.env files contain hot-wallet private keys.

## Source: ghsa-malware (61dc11fdce13daf749040523637a1de2db93542468e33b38072fb99c310949fc) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.