Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in ls-env-config (npm)

ls-env-config

Risk score

92

AI summary

Indexed incident for ls-env-config (npm).

Description

Package declares a preinstall script (node./index.js) that fires automatically on npm install. The executed index.js issues an HTTP GET to a Burp-Collaborator-style subdomain at 85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01. This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.

Technical details

Affected versions

=1.0.5

Indicators

  • affected version=1.0.575%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents