Supply-chain threat intelligence
Risk score
92
Indexed incident for ripshakti1 (npm).
package.json declares a preinstall lifecycle hook (node index.js) that auto-executes on npm install. index.js queries the AWS EC2 instance metadata service (IMDSv2 and v1) at 169.254.169.254 for IAM role credentials, instance identity, user-data, and network/host metadata, queries the ECS task credentials endpoint at 169.254.170.2, and filters process.env for keys matching secret-shaped patterns (key, secret, token, pass, auth, cred, api, aws, database, db_, mongo, redis, s3, sqs, sns, lambda, role). Each payload is base64-encoded and exfiltrated via HTTPS GET to the attacker-controlled Burp Collaborator subdomain a2de2lw03amqkgbex432znqb72du1kp9.oastify.com. This auto-fires on every install, including transitive installs and CI runners.
The OpenSSF Package Analysis project identified 'ripshakti1' @ 81.0.0 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline