@demica/resources

Details

**Note:** *This report is updated by a verification record*

Dep-confusion squat of internal @demica/resources at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (98805b03541bafd28883acb75e8fd9d0e4ea947d75062563c34438dec82139bf)
On `npm install`, the package's `scripts.postinstall` executes `canary.js`, which issues an unconditional plain-HTTP GET to the hardcoded bare IP `157.230.17.236` on port 80 at path `/dc?...`. The query string includes `os.hostname()` (truncated to 200 chars) plus the package name, version, a nonce, and a phase identifier. This fires automatically on every install with no opt-out. The package self-describes as a 'dependency-confusion canary,' but it is published on the public npm registry under the `@demica/*` scope: any installer that resolves `@demica/resources` — including via accidental dependency confusion, typo, or curiosity install — will leak their hostname to the operator of that bare IP over unencrypted HTTP. The destination is an anonymous bare IP with no associated domain, publisher, or disclosure; hostname is an installer-side host identifier transmitted off-host to an attacker-shaped endpoint.

Compromised versions (1)

• 99.99.100

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.