Cloud-credential theft disguised as a React colour picker
The npm package [email protected] advertised itself as a "Minimal color picker component for React." Its postinstall hook instead queries the cloud instance-metadata service (169.254.169.254) — the endpoint that hands out temporary IAM credentials to code running on AWS/GCP/Azure. A different technique from the download-execute droppers, aimed squarely at stealing cloud credentials from CI runners. Catalogued in OSV as MAL-2026-6473; surfaced independently by codelake's dropper pipeline.
The npm package colorpicker-ui (version 1.2.5) impersonated a harmless UI component — "Minimal color picker component for React with HSL and hex support." It shipped four files (index.js, setup.js, a README and package.json), with no dependencies and no repository.
On npm install, a postinstall: node setup.js hook executes automatically and reaches out to http://169.254.169.254/latest/meta-data/ — the link-local instance-metadata service (IMDS). On a cloud host (an AWS/GCP/Azure CI runner or server), that endpoint returns the machine's temporary IAM role credentials. Harvesting them gives an attacker the cloud identity of the build environment — a path to the wider account.
This is a distinct technique from the download-execute date-utility droppers: no second-stage binary, just a direct grab at cloud credentials via the metadata endpoint. codelake surfaced it through the same dropper filter (a flagged install-run script) and flagged its target as the reserved IMDS address.
1 · Impersonation. A benign-sounding React component name and description lower suspicion in a frontend dependency list.
2 · Auto-execution. A postinstall: node setup.js entry runs on install, before the package is imported.
3 · Metadata query. The setup script requests 169.254.169.254 — the cloud instance-metadata service — which, on a cloud host, exposes temporary IAM credentials and instance identity.
4 · Credential exfiltration. Harvested credentials give the operator the CI/build environment's cloud identity — often enough to pivot into buckets, registries, or secrets in the same account.
Detected independently by codelake Research · structural dropper filter · deterministic target extraction (flagged the reserved IMDS address). Catalogued in OSV as MAL-2026-6473 — cited here with attribution; documented for its distinct cloud-credential-theft technique.
No working payload or reproduction is published here — the technique is described. The original artifact is preserved in the codelake archive and available to verified security researchers on request.