Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in ac-raf-emitter (npm)

ac-raf-emitter

Risk score

92

AI summary

Indexed incident for ac-raf-emitter (npm).

Description

package.json declares a preinstall lifecycle script that runs curl -X POST against a hardcoded webhook.site collector URL (https://webhook.site/54919426-084d-4288-8f80-e36ae5c76e32), passing the installer's hostname and a timestamp as query parameters. The exfiltration fires automatically on npm install before any consumer code runs. The destination is an anonymous, author-controlled request-inspection endpoint with no legitimate role in the package's advertised functionality.

Technical details

Affected versions

=3.0.1

Indicators

  • affected version=3.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents