Malicious code in workflow-postgres-setup (npm)

__

Source: amazon-inspector (19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963)

The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry index.js is absent from the tarball. Its only functional code is bin/run.js, which on invocation (via npx workflow-postgres-setup or the installed bin) reads process.env.INIT_CWD || process.cwd(), takes the basename, and POSTs it as JSON to a hardcoded third-party endpoint at https://deepbounty.dd06-dev.fr/cb/33d63669-244d-4409-9fba-eb1d32d10cc1. The package's own description self-identifies as a dependency-confusion / npx-typosquat proof-of-concept. Project directory names can themselves be sensitive (internal codenames, customer names, unreleased product identifiers), and the beacon attributes the leak to a specific tracking ID controlled by the operator of the callback domain. The generic, functionality-promising name is consistent with typosquat / dependency-confusion bait targeting developers searching for Postgres setup tooling.