Supply-chain threat intelligence
Risk score
92
Indexed incident for giantswarm (npm).
The package declares a preinstall hook (node index.js) that runs automatically on npm install. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, whoami, id, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name giantswarm impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private @giantswarm/* scopes.
Affected versions
Indicators
Timeline