This threat involves a malicious npm package, @longzy/react-native-polyfill, which runs a postinstall script during npm install to collect and exfiltrate host and environment information. The exfiltrated data includes hostname, username, platform, Node.js version, non-internal IP addresses, registry URL, and the full process environment variables, potentially exposing sensitive secrets such as AWS keys and tokens. The data is sent to an attacker-controlled Feishu/Lark bot webhook URL, which is obfuscated using character code transformations and XOR encoding. The malware employs extensive anti-analysis checks, including detection of honeypot tokens, sandbox environment variables, CI environment indicators, and suspicious hostnames or usernames, to avoid execution in analysis environments. The obfuscation and anti-analysis measures are designed to evade casual review and automated detection.

The malware can lead to the exposure of sensitive environment variables and secrets, including tokens and AWS keys, from developer and CI environments. This exposure can result in unauthorized access to cloud resources, data breaches, and further compromise of development and deployment pipelines. The stealthy exfiltration and anti-analysis features increase the likelihood of prolonged undetected presence in affected environments.

No official patch or remediation is currently available for this malicious package. Users should immediately remove @longzy/react-native-polyfill from their projects and audit their environment for potential secret exposure. Rotate any potentially compromised secrets such as tokens and AWS keys. Avoid installing packages from untrusted sources and monitor dependency trees for suspicious or unknown packages. Since this is a malicious package rather than a vulnerability in legitimate software, remediation involves removal and secret rotation rather than patching.