VYPR

npm · Malicious package advisory

Malware

@leviyuan/lodestar

MAL-2026-4804

Malicious code in @leviyuan/lodestar (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba)
The package ships a lifecycle-invoked script (dist/lodestar-setup.js) that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with process.env data referenced in the same file. dist/lodestar.js similarly contains multiple POST calls to the same Feishu infrastructure. The hardcoded third-party C2 destination (Feishu's open API, used as a webhook receiver) combined with environment-variable access is the canonical exfiltration shape: any developer or build system that installs this package will leak environment contents to the publisher's webhook. The package name (@leviyuan/lodestar) is also a scoped lookalike of the well-known Ethereum consensus client 'lodestar' from ChainSafe, which compounds the supply-chain risk by inviting confused installs.

Compromised versions (1)

  • 0.4.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.