Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services (authentication, PKI, telemetry, CloudKit, and cloud infrastructure). All packages in this campaign execute credential-theft payloads during npm installation via preinstall or postinstall lifecycle hooks.
Trigger: preinstall. Executes ms_audit.sh on install: reads the full process environment from /proc/1/environ (including PID 1 / container init secrets), searches filesystem for entrypoint/startup scripts, and queries the GCP instance metadata API for all instance attributes; exfiltrates all data to https://webhook.site/e44df9ae-8bff-478a-b1f2-514c1fcbf303.
-= Per source details. Do not edit below this line.=-
The package npm-global-util was found to contain malicious code.
1.3.21.3.4Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H