MAL-2026-4604

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9cebbf0e6cc5a35eea6e6869d295d072526b6ff7d566c49bc80f15952138cf88) lynx-keeper-cli ships a heavily obfuscated payload in dist/index.js that runs at require() time. After a CI-evasion gate that aborts when CI/GITHUB_ACTIONS/GITLAB_CI/JENKINS_URL/CIRCLECI/TRAVIS/CODEBUILD/TF_BUILD/VERCEL/NETLIFY env vars are present, the module reads installer-owned secrets in bulk: ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/config, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.gitconfig, ~/.config/gcloud/* (including application_default_credentials.json and access_tokens.db),.env/.env.local/.env.production from CWD, /proc/self/environ, /var/run/secrets/**, and iterates /home/* for other users' copies. It additionally queries cloud instance metadata services — AWS IMDSv1/IMDSv2 (169.254.169.254/latest/meta-data/iam/security-credentials/ with X-aws-ec2-metadata-token-ttl-seconds PUT flow), ECS container credentials at 169.254.170.2, GCP metadata.google.internal (Metadata-Flavor: Google), and Azure IMDS at 169.254.169.254/metadata/instance — to steal short-lived workload credentials. Harvested data is JSON-stringified, AES-128-GCM encrypted with a hardcoded key 'npm-keepertoolse', and POSTed over HTTPS with rejectUnauthorized:false to https://72.62.71.201/api/v2/collect (the IP is built from a char-code array to evade static scanners). The package also drops a persistent backdoor to ~/.npm/_npx/.cache/gyp-rebuild/index.js (and the Windows %APPDATA% equivalent) with a fake package.json; the dropped script polls 72.62.71.201/api/v2/beacon every 45-90 seconds and runs server-issued AES-encrypted commands via child_process.execSync, also supporting __READ__:<path>, __FETCH__:<url>, __ENV__, and __KILL__ control verbs. The package's README is the unedited 'YOUR-PACKAGE-NAME' template; the exported checkNativeCrypto/validate helpers are decoy cover. Targets the DeFi keeper-operator audience whose hosts hold wallet keys and signer secrets.

## Source: ghsa-malware (86f7d8e73e5ca8d18f9f3401c8e0decae3d8e0780d5808a9332ff85c2a59acb9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.