Supply-chain threat intelligence
Risk score
92
Indexed incident for babel-preset-lib-client (npm).
index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of printenv (base64-encoded), and the base64-encoded output of tree../, then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.
Affected versions
Indicators
Timeline