Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in babel-preset-lib-client (npm)

babel-preset-lib-client

Risk score

92

AI summary

Indexed incident for babel-preset-lib-client (npm).

Description

index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of printenv (base64-encoded), and the base64-encoded output of tree../, then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.

Technical details

Affected versions

=4.9.10=4.9.9=4.9.11

Indicators

  • affected version=4.9.1075%
  • affected version=4.9.975%
  • affected version=4.9.1175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents