This threat involves a malicious npm package, @digitalcnzz/commonmodule, which activates during the npm install process via an obfuscated postinstall hook. After a randomized delay, it collects host details (hostname, username, platform, Node version, IP addresses, registry URL) and dumps the entire process environment variables, which may contain sensitive credentials such as AWS keys and tokens. The stolen data is exfiltrated to an attacker-controlled Feishu/Lark bot webhook endpoint, with the destination obfuscated through character code transformations and XOR encoding. The malware employs extensive anti-analysis checks to detect sandbox, honeypot, and CI environments, exiting silently if such conditions are detected. There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.

If installed, this malicious package can leak sensitive environment variables and host information, including credentials and tokens commonly present in developer and CI environments, to an attacker-controlled endpoint. This exposure can lead to unauthorized access to cloud resources, code repositories, and other sensitive infrastructure components. The malware's anti-analysis features increase the likelihood of evading detection during automated scans or sandbox analysis.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or removal guidance is available, users should avoid installing the @digitalcnzz/commonmodule package. Review and audit dependencies for this package and remove any instances found. Monitor for unexpected network traffic to Feishu/Lark webhook endpoints and consider rotating any potentially exposed credentials. Employ supply chain security best practices such as verifying package integrity and using trusted sources.