npm · Malicious package advisory
Malware@leviyuan/lodestar
MAL-2026-4804
Malicious code in @leviyuan/lodestar (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba) The package ships a lifecycle-invoked script (dist/lodestar-setup.js) that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with process.env data referenced in the same file. dist/lodestar.js similarly contains multiple POST calls to the same Feishu infrastructure. The hardcoded third-party C2 destination (Feishu's open API, used as a webhook receiver) combined with environment-variable access is the canonical exfiltration shape: any developer or build system that installs this package will leak environment contents to the publisher's webhook. The package name (@leviyuan/lodestar) is also a scoped lookalike of the well-known Ethereum consensus client 'lodestar' from ChainSafe, which compounds the supply-chain risk by inviting confused installs.
Compromised versions (1)
- 0.4.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.