Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values (e.g. 99.9.x, 100.1.x) to win npm resolution against private internal packages. All packages in the campaign falsely advertise themselves as "Security Research PoC" / MSRC research and execute on preinstall via node index.js, exfiltrating to disposable webhook.site endpoints.
This package targets Microsoft-internal infrastructure. On install it shells out to harvest /etc/passwd, probe /etc/shadow, locate SSH private keys (id_rsa, *.pem, authorized_keys), enumerate .netrc / .dockercfg, query the AWS IMDS endpoint http://169.254.169.254/latest/user-data, and grep environment variables matching USER|PASS|TOKEN|CREDENTIAL. The collected output is POSTed to https://webhook.site/11b6a711-bdc7-4444-9a0e-ffcb23151e82 tagged status: ULTRA_USER_CREDENTIAL_SCOUT, target: global-microsoft-infra.
Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H