// npm package
react-dom-helper
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-04
// exfil path
what is read → where it shipssteals
- ● AWS keys
- ● npm token
- ○ home dir
sends to
- ⌖ 104.248.94.23
// offending code· @1.0.0· 1 file flagged
llm: malicious · 0.95→ Credential read (reads-aws-creds, reads-npmrc) paired with http-to-public-ip destination — classic exfiltration signature.
- @1.0.0··AUTO-PUBLISHED·publisher: k4nx9zfp82heuristic 83/100static flags 4llm malicious (0.95) via fast-trackinstall-scripts:preinstallnew-publisher:19dtiny-tarball:412bfirst-version-suspicious-publisherreads-aws-credsreads-npmrcreads-homedirhttp-to-public-ip
→ Credential read (reads-aws-creds, reads-npmrc) paired with http-to-public-ip destination — classic exfiltration signature.
// NHI intent1 target·mixed harvest patterns·gate: always - gh CLI token store