⛔ Malware Advisory Detected independent detection (dropper pipeline)
Confirmed malicious. codelake independently detected this at independent detection (dropper pipeline) — Attribution: colorpicker-ui is catalogued in OSV as MAL-2026-6473 (published 2026-06-25). codelake detected and classified it independently via its dropper-hunting pipeline; this advisory documents it for its DISTINCT technique — cloud instance-metadata credential theft — and as a data point in the broader install-hook dropper wave.. Also documented publicly: MAL-2026-6473 (OSV, 2026-06-25 · 20:16 UTC).
Advisory · CLR-2026-2993

Cloud-credential theft disguised as a React colour picker

The npm package [email protected] advertised itself as a "Minimal color picker component for React." Its postinstall hook instead queries the cloud instance-metadata service (169.254.169.254) — the endpoint that hands out temporary IAM credentials to code running on AWS/GCP/Azure. A different technique from the download-execute droppers, aimed squarely at stealing cloud credentials from CI runners. Catalogued in OSV as MAL-2026-6473; surfaced independently by codelake's dropper pipeline.

CriticalConfirmed maliciousCloud-metadata SSRFOSV MAL-2026-6473
Summary

The npm package colorpicker-ui (version 1.2.5) impersonated a harmless UI component — "Minimal color picker component for React with HSL and hex support." It shipped four files (index.js, setup.js, a README and package.json), with no dependencies and no repository.

On npm install, a postinstall: node setup.js hook executes automatically and reaches out to http://169.254.169.254/latest/meta-data/ — the link-local instance-metadata service (IMDS). On a cloud host (an AWS/GCP/Azure CI runner or server), that endpoint returns the machine's temporary IAM role credentials. Harvesting them gives an attacker the cloud identity of the build environment — a path to the wider account.

This is a distinct technique from the download-execute date-utility droppers: no second-stage binary, just a direct grab at cloud credentials via the metadata endpoint. codelake surfaced it through the same dropper filter (a flagged install-run script) and flagged its target as the reserved IMDS address.

The technique — install-hook cloud-metadata theft

1 · Impersonation. A benign-sounding React component name and description lower suspicion in a frontend dependency list.

2 · Auto-execution. A postinstall: node setup.js entry runs on install, before the package is imported.

3 · Metadata query. The setup script requests 169.254.169.254 — the cloud instance-metadata service — which, on a cloud host, exposes temporary IAM credentials and instance identity.

4 · Credential exfiltration. Harvested credentials give the operator the CI/build environment's cloud identity — often enough to pivot into buckets, registries, or secrets in the same account.

Indicators of Compromise
C2169.254.169.254 (cloud instance-metadata service / IMDS — credential-theft target)
HOOKpostinstall → node setup.js (queries the metadata endpoint on install)
PKG[email protected] (npm) — impersonates a "Minimal color picker component for React"; 4 files, no repo, no deps
SHAd4987564f0ec034ad1e55937e2d5f559fc96241dd973fe87392c763ea5b1914b · colorpicker-ui-1.2.5.tgz
REFOSV MAL-2026-6473 (published 2026-06-25) — https://osv.dev/vulnerability/MAL-2026-6473
Remediation & hardening
#ActionPriority
01 Rotate cloud credentials if installed on a cloud host. Any CI runner or server that ran npm install with this package present should have its instance/role credentials rotated and its recent cloud activity audited. Immediate
02 Enforce IMDSv2 and block IMDS egress. Require IMDSv2 (session-token) on AWS, and block outbound access to 169.254.169.254 from build steps that do not need it. Immediate
03 Neutralise install hooks. Install with lifecycle scripts disabled (--ignore-scripts) where feasible, and pin/lock dependencies — treat postinstall as an execution boundary. High

Detected independently by codelake Research · structural dropper filter · deterministic target extraction (flagged the reserved IMDS address). Catalogued in OSV as MAL-2026-6473 — cited here with attribution; documented for its distinct cloud-credential-theft technique.

No working payload or reproduction is published here — the technique is described. The original artifact is preserved in the codelake archive and available to verified security researchers on request.