VDB
EN

MAL-2026-6986

Malicious code in @luminarycloudinternal/frodo (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (58ed68e675b2b6cde30e6b7c8e34077eda805a4bde64ca7cd2c68c6f4370ee5f) Package published under a scope shadowing internal Luminary Cloud packages (@luminarycloudinternal) at version 9999.0.1 — the canonical dependency-confusion shape designed to win version resolution over a private internal package of the same name. On install, postinstall.js (line 8) performs an HTTPS GET to a hardcoded external host (poc-luminary-npm-1782987043.testingboxes.com) carrying installer-owned CI and host identifiers: GITHUB_REPOSITORY, GITHUB_SHA, GITHUB_REF, GITHUB_WORKFLOW, RUNNER_NAME, os.hostname(), and npm user-agent. When a build system misresolves the internal name to the public registry, this postinstall runs automatically and discloses internal repository, workflow, commit, and runner identifiers to a third-party endpoint. The package self-identifies as a Bugcrowd research canary, but self-labeling does not change the mechanism: installer-owned metadata leaves the machine at install time to a non-first-party destination via a namespace-squat.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @luminarycloudinternal/frodo

No fixed version published yet for @luminarycloudinternal/frodo (npm). Pin to a known-safe version or switch to an alternative.

참고