Supply-chain threat intelligence
Risk score
92
Indexed incident for auto-debug-tool (npm).
package.json declares a postinstall hook (node install.js) that fires automatically on npm install. On Windows, install.js invokes hidden PowerShell (-NoP -NonI -W Hidden -Exec Bypass) to download an executable from raw.githubusercontent.com/cphc811-ui/d3d/main/ on the mutable main branch of an unrelated personal GitHub account, then launches it detached with Start-Process -WindowStyle Hidden. No hash or signature verification is performed. Execution is gated to skip non-Windows platforms and to skip when NODE_ENV=development, and all errors are swallowed — concealment characteristics that keep the payload dormant on maintainer/dev machines while firing on Windows installers and CI. The fetched binary's publisher does not match the npm package publisher, the source is a mutable branch on a personal account, and the fetch is auto-executed at install time with no verification.
Affected versions
Indicators
Timeline