---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4f65cdcb27200e24464982c0678d9dd556342d53886e4d5378da5d9c664fe1c7)

Both preinstall and postinstall lifecycle hooks in package.json execute index.js, which collects the installer's hostname, non-internal network interface IPs, current working directory, package name, and the value of the SECURITY_BUG_BOUNTY_DOCTOLIB_IS_PWN environment variable, and POSTs the JSON payload to http://poc.khz.bar/install over plain HTTP. This fires automatically on npm install without any user action. The package name @limebike/supreme combined with the bug-bounty-themed environment-variable name and exfil host suggests a dependency-confusion proof-of-concept targeting an internal scope, but the structural behavior — unconditional install-time beacon of installer identity to a third-party host over cleartext HTTP — is identical to a supply-chain exfiltration attack and produces a tangible signal for the operator of poc.khz.bar identifying every machine that installed the package.

Source: ghsa-malware (5cae8c5e6d35571409c86e7b77a3fe40d1bb1c763ce736029375f41628e11d71)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.