The @sailing-package/core npm package contains malicious code that activates during the npm install process via an obfuscated postinstall hook. After a randomized delay, it gathers detailed host information and dumps the entire environment variables, which may include sensitive credentials. This data is exfiltrated to a concealed command-and-control server hosted on open.feishu.cn, formatted as a Feishu/Lark bot message. The malware employs multiple layers of obfuscation, including character code transformations and XOR encoding, to hide the exfiltration endpoint and evade detection. It also performs numerous anti-analysis checks targeting honeypot tokens, sandbox environment variables, CI environment indicators, and suspicious hostnames or usernames, terminating execution silently if detected. No patch or remediation is provided, and no affected versions are explicitly stated.

This malware compromises the confidentiality of host and environment information by exfiltrating potentially sensitive data such as AWS keys, tokens, and other secrets from development and CI environments. The exposure of these secrets can lead to unauthorized access to cloud resources, code repositories, and other critical infrastructure. The obfuscation and anti-analysis features increase the difficulty of detection and mitigation.

No official patch or remediation is available for this malicious package. The primary mitigation is to avoid installing or using the @sailing-package/core npm package. Security teams should audit dependencies for this package and remove it if found. Monitoring for unexpected network connections to Feishu/Lark webhook URLs and scanning for obfuscated postinstall scripts in npm packages may help detect similar threats. Since this is a malicious package, standard patching does not apply; prevention through supply chain security and dependency vetting is critical.