@demica/shared

Details

**Note:** *This report is updated by a verification record*

Dep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dfc020ab633bac129072df0d74deea8e0a2e118b43dbebf01ba9bbf2b13b6e76)
@demica/shared@99.99.100 declares `postinstall: node canary.js postinstall` in package.json, which fires automatically on `npm install`. canary.js issues a plaintext HTTP GET to bare IP 157.230.17.236:80 at path `/dc?...` with query parameters including `os.hostname()`, the package name/version, a nonce, and the lifecycle phase. The installer's host identifier is disclosed to a third-party endpoint over unauthenticated HTTP without consent. The package self-describes as a 'dependency-confusion canary' and uses an inflated version (99.99.100) under the @demica scope to outrank a presumed internal package of the same name — the canonical dependency-confusion attack shape. Regardless of the operator's stated intent, any party that resolves this public package on `npm install` is beaconed to an attacker-shaped destination (bare IP, plaintext HTTP, no opt-out).

Compromised versions (1)

• 99.99.100

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.