Dependency-confusion probe that steals cloud credentials + your whole environment on install
The npm package [email protected] ships a harmless-looking formatDate helper as cover. Its real payload is a preinstall hook that runs the moment you npm install — before any of your code. It fingerprints the host, runs shell recon (id, whoami, ps aux), queries the cloud instance-metadata service for RAM/IAM security credentials, dumps your entire process.env, and POSTs all of it to a hard-coded raw IP. The package name targets an internal antsrc* namespace — a classic dependency-confusion lure. Not in OSV, still live on npm at time of writing.
The npm package antsrcsrctest (version 1.0.0, published 2026-07-09) ships just three files: an index.js that exports a benign formatDate() function (the decoy), a package.json, and a preinstall.js that is the actual payload.
Its package.json declares preinstall: node preinstall.js, so the payload runs automatically on npm install, before the package is ever imported — including in CI, containers and dev machines. The index.js decoy exists only to make the package look like a legitimate date utility.
The name — antsrcsrctest — reads as a probe against an internal antsrc namespace; paired with the payload's use of the Alibaba Cloud metadata endpoint, this is a dependency-confusion attack aimed at build environments that might resolve an internal package name to this public one.
1 · Host + container fingerprint. Reads os.hostname()/platform()/cwd() and checks for containerisation via /.dockerenv, /proc/1/cgroup and /proc/self/mountinfo.
2 · Shell recon (RCE). Executes id, whoami, hostname and ps aux via child_process.execSync and captures the output.
3 · Cloud credential theft (SSRF). Curls the cloud instance-metadata service http://100.100.100.200/latest/meta-data/ (Alibaba Cloud's IMDS, the analogue of AWS's 169.254.169.254), explicitly walking /latest/meta-data/ram/security-credentials/ — the endpoint that hands out the host's temporary RAM (IAM) role credentials.
4 · Full environment dump. Collects the entire process.env — every secret, token and API key present in the build/runtime environment.
5 · Exfiltration. POSTs the whole recon object to http://101.35.44.248/ and the raw environment to http://101.35.44.248/env — a hard-coded raw IP (no domain). All error paths are swallowed so the install looks normal.
Detected + classified independently by codelake Research via its install-hook dropper-hunting pipeline, hours after publication · deterministic structural analysis of the packed tarball (package.json hook, preinstall.js control flow, exfil destination). Not catalogued in OSV/GHSA at time of writing; an npm takedown report is being prepared.
This is a confirmed-malware advisory. No working payload or reproduction is published — the behaviour is described from structural analysis, and the exfil IP / metadata endpoints are named as defensive indicators only. The original artifact is preserved in the codelake archive and available to verified security researchers on request.