The longzy-basic-ui npm package version 2.0.3 includes a postinstall hook that runs a script (.prepare.cjs) which gathers detailed system and environment information from the installer. This data includes hostname, username, platform details, Node.js version, network interfaces, npm registry, and a near-complete dump of environment variables excluding those prefixed with npm_lifecycle. The collected data is sent via HTTPS POST as a Lark/Feishu bot message to a hardcoded webhook endpoint on open.larksuite.com. The webhook URL is obfuscated by reversing the hostname and applying a character shift, while the webhook path is XOR-decoded at runtime. The script performs multiple sandbox and honeypot evasion checks by detecting known sandbox tokens, suspicious hostnames, and usernames. The package's declared homepage and repository URL point to an internal RFC1918 address, inconsistent with public npm publishing, and its stated purpose does not align with the malicious behavior. This combination of obfuscation, data exfiltration, and evasion confirms the package as credential-theft malware.

Installation of longzy-basic-ui version 2.0.3 results in exfiltration of sensitive environment and system information to an attacker-controlled endpoint. This includes potentially sensitive credentials and environment variables, which can lead to credential theft and further compromise of the affected system or environment.

No official patch or remediation is currently available. Users should avoid installing longzy-basic-ui version 2.0.3 from the npm registry. Remove any installations of this version and audit systems for potential compromise. Monitor for suspicious network traffic to open.larksuite.com. Check the vendor advisory or npm registry for updates or removal of the malicious package. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.