⛔ Malware Advisory Detected 2026-07-09 · codelake dropper pipeline
Confirmed malicious. codelake independently detected this at 2026-07-09 · codelake dropper pipeline — antsrcsrctest is NOT catalogued in OSV or GHSA at time of writing (OSV query: 0 results) and is still live on npm — a novel first-catch. codelake surfaced and classified it independently via its install-hook dropper-hunting pipeline, hours after it was published. An npm takedown report is being prepared; an OpenSSF malicious-packages / OSV record is the appropriate catalogue home.. Not yet in any public advisory database at detection time — codelake is the source of record.
Advisory · CLR-2026-2999

Dependency-confusion probe that steals cloud credentials + your whole environment on install

The npm package [email protected] ships a harmless-looking formatDate helper as cover. Its real payload is a preinstall hook that runs the moment you npm install — before any of your code. It fingerprints the host, runs shell recon (id, whoami, ps aux), queries the cloud instance-metadata service for RAM/IAM security credentials, dumps your entire process.env, and POSTs all of it to a hard-coded raw IP. The package name targets an internal antsrc* namespace — a classic dependency-confusion lure. Not in OSV, still live on npm at time of writing.

CriticalConfirmed maliciousDependency confusionCloud-metadata SSRFFull env exfilNovel — not in OSV
Summary

The npm package antsrcsrctest (version 1.0.0, published 2026-07-09) ships just three files: an index.js that exports a benign formatDate() function (the decoy), a package.json, and a preinstall.js that is the actual payload.

Its package.json declares preinstall: node preinstall.js, so the payload runs automatically on npm install, before the package is ever imported — including in CI, containers and dev machines. The index.js decoy exists only to make the package look like a legitimate date utility.

The name — antsrcsrctest — reads as a probe against an internal antsrc namespace; paired with the payload's use of the Alibaba Cloud metadata endpoint, this is a dependency-confusion attack aimed at build environments that might resolve an internal package name to this public one.

What the preinstall payload does

1 · Host + container fingerprint. Reads os.hostname()/platform()/cwd() and checks for containerisation via /.dockerenv, /proc/1/cgroup and /proc/self/mountinfo.

2 · Shell recon (RCE). Executes id, whoami, hostname and ps aux via child_process.execSync and captures the output.

3 · Cloud credential theft (SSRF). Curls the cloud instance-metadata service http://100.100.100.200/latest/meta-data/ (Alibaba Cloud's IMDS, the analogue of AWS's 169.254.169.254), explicitly walking /latest/meta-data/ram/security-credentials/ — the endpoint that hands out the host's temporary RAM (IAM) role credentials.

4 · Full environment dump. Collects the entire process.env — every secret, token and API key present in the build/runtime environment.

5 · Exfiltration. POSTs the whole recon object to http://101.35.44.248/ and the raw environment to http://101.35.44.248/env — a hard-coded raw IP (no domain). All error paths are swallowed so the install looks normal.

Indicators & characteristics
PKG[email protected] (npm) — published 2026-07-09T03:46 UTC, still live at time of writing
HOOKpackage.json: "preinstall": "node preinstall.js" — runs on install, before import
DECOYindex.js exports a benign formatDate() — cover for a "date utility" look
SSRFCloud IMDS: http://100.100.100.200/latest/meta-data/ · /latest/meta-data/ram/security-credentials/ (Alibaba Cloud RAM/IAM temp credentials)
RCEchild_process.execSync: id, whoami, hostname, ps aux · container probes /.dockerenv, /proc/1/cgroup, /proc/self/mountinfo
ENVDumps the entire process.env (all secrets/tokens/keys)
EXFILHTTP POST → http://101.35.44.248/ (recon) and http://101.35.44.248/env (environment) — hard-coded raw IP
Response & guidance
#ActionPriority
01 Do not install it. If it appeared in a build (a dependency-confusion resolution against an internal antsrc* name), treat that environment as compromised. Critical
02 Rotate everything the build could see: the cloud role/RAM credentials reachable from the runner, and every secret/token in the environment (process.env was exfiltrated wholesale). Critical
03 Harden the metadata service: require IMDSv2/token-bound metadata and block egress from build runners to 100.100.100.200 / 169.254.169.254. Block egress to 101.35.44.248. Recommended
04 Claim internal names: the lure is dependency confusion — publish/scope your internal antsrc* package names so a public package can never win resolution. Recommended
05 Report it to npm for takedown — it is still live at time of writing. Not catalogued in OSV/GHSA; an OpenSSF malicious-packages record is the appropriate catalogue home. Done

Detected + classified independently by codelake Research via its install-hook dropper-hunting pipeline, hours after publication · deterministic structural analysis of the packed tarball (package.json hook, preinstall.js control flow, exfil destination). Not catalogued in OSV/GHSA at time of writing; an npm takedown report is being prepared.

This is a confirmed-malware advisory. No working payload or reproduction is published — the behaviour is described from structural analysis, and the exfil IP / metadata endpoints are named as defensive indicators only. The original artifact is preserved in the codelake archive and available to verified security researchers on request.