The '@vpms/design-system' npm package versions 0.1.3, 1.0.0, 1.0.1, and 1.1.2 include a preinstall script that executes 'node index.js' on installation. This script iterates over environment variables to harvest any containing keywords like SECRET, TOKEN, PASSWORD, KEY, or CREDENTIAL, including specific high-value secrets such as NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET, and GOOGLE_APPLICATION_CREDENTIALS. It also collects system information such as hostname, username, current working directory, platform, architecture, and top CPU-consuming processes. The collected data is sent via HTTPS POST to a hardcoded Pipedream endpoint associated with malicious activity. The package does not contain legitimate design system code and appears to be a malicious package targeting internal organization namespaces via dependency confusion techniques.

This malicious package can lead to unauthorized disclosure of sensitive credentials and environment information from any system where it is installed. The exfiltrated data includes high-value secrets that could allow attackers to compromise cloud accounts, source code repositories, and other critical infrastructure. This poses a significant risk of credential theft and subsequent unauthorized access or lateral movement within affected environments.

Users should immediately remove the affected versions (=0.1.3, =1.0.0, =1.0.1, =1.1.2) of the '@vpms/design-system' package from their projects. Avoid installing or updating to these versions. Audit systems for any signs of credential compromise if these versions were installed. Since no official patch or fix is available, do not use this package. Consider implementing strict package source verification and dependency auditing to prevent installation of malicious packages. Monitor for any suspicious activity related to exposed credentials.