---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba)

The package ships a lifecycle-invoked script (dist/lodestar-setup.js) that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with process.env data referenced in the same file. dist/lodestar.js similarly contains multiple POST calls to the same Feishu infrastructure. The hardcoded third-party C2 destination (Feishu's open API, used as a webhook receiver) combined with environment-variable access is the canonical exfiltration shape: any developer or build system that installs this package will leak environment contents to the publisher's webhook. The package name (@leviyuan/lodestar) is also a scoped lookalike of the well-known Ethereum consensus client 'lodestar' from ChainSafe, which compounds the supply-chain risk by inviting confused installs.