The gx-npm-lib package at version 99.99.99 is a malicious package published under a generic name to overshadow internal packages in CI environments, exploiting dependency confusion. Its postinstall lifecycle script runs a beacon.js script that collects installer metadata such as package name, OS hostname, user info, current working directory, environment variables, and Node.js version. This information is exfiltrated via two channels: DNS lookups encoding user and host data as subdomains, and base64-encoded HTTPS GET requests to a hardcoded attacker-controlled OAST domain. The package self-describes as a 'security-research placeholder' for a proof-of-concept, but this does not constitute consent. The default install leads to active data exfiltration, constituting a textbook supply-chain attack.

Installation of this package results in unauthorized exfiltration of sensitive environment metadata from the host system to an attacker-controlled domain. This leakage can expose internal package names, hostnames, usernames, environment variables, and other contextual information, potentially aiding further attacks or reconnaissance. The attack leverages dependency confusion to trick CI systems or developers into installing the malicious package, thereby compromising the supply chain integrity.

No official patch or remediation is currently documented. Users should avoid installing the gx-npm-lib package version 99.99.99. Review and restrict dependency resolution configurations in CI environments to prevent dependency confusion attacks. Monitor package sources carefully and verify package authenticity before installation. Patch status is not yet confirmed — check the vendor advisory or trusted sources for current remediation guidance.