Malicious code in worker-build (npm)

---

__

Source: amazon-inspector (0e11b6161f4fe3c591bddadbf275003eaac33a1478cda408ac51d85230292e6d)

package.json declares "postinstall": "node main.js", so installation of worker-build@9.0.1 unconditionally executes main.js on npm install. main.js collects host identity (os.hostname(), os.userInfo().username, os.homedir(), process.cwd(), process.argv), reads the consumer's package.json, runs git config --get remote.origin.url, and iterates a hardcoded list of credential-shaped environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, NPM_TOKEN, GITHUB_TOKEN, GITLAB_TOKEN, API_KEY, SECRET_KEY, PASSWORD, TOKEN, DATABASE_URL, MONGODB_URI, REDIS_URL), capturing the first 50 characters of each populated value. The collected JSON payload is POSTed in cleartext to http://jh4wt1kccd0ul174qgmge9n8izozcu0j.oastify.com/exfil and /api/exfil, with an additional DNS lookup against the same host as a side-channel beacon. The package name mimics legitimate Cloudflare Workers build tooling, positioning the package for dependency-confusion against installers that misresolve an internal name to the public registry.

Source: ossf-package-analysis (b5005e4bec545b403f3be10160a08d634d34b5d8ab8e76a185a4a5ba34706719)

The OpenSSF Package Analysis project identified 'worker-build' @ 9.0.1 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.