Objectives
hostile severity, 96% confident.
command-and-control/dropper/execution
Supply-chain dropper via destructured child_process
hostile severity, 95% confident.
supply-chain/recon-exfil
npm package exfiltrates CI/CD info via HTTP
suspicious severity, 94% confident.
command-and-control/infrastructure
Script writes mapping to system hosts file
suspicious severity, 80% confident.
credential-access/env/secrets
npmrc word reference
suspicious severity, 70% confident.
evasion/hosts-file
Windows hosts file path reference
suspicious severity, 85% confident.
supply-chain/credential-theft
JS uses env HOME for credential access
suspicious severity, 80% confident.
supply-chain/impersonation
Writes to sensitive path
suspicious severity, 96% confident.
supply-chain/install-hook/dropper
Requires then deletes temp JavaScript
notable severity, 90% confident.
credential-access/files
Package registry credential paths
notable severity, 90% confident.
discovery/system/fingerprint
Collects operating system platform
notable severity, 85% confident.
execution/condition
Executes different commands based on OS platform
notable severity, 100% confident.
execution/interpreter/script
npm postinstall hook present
notable severity, 86% confident.
persistence/system/surface
installer package script hook
notable severity, 90% confident.
supply-chain/hidden-payload
Postinstall runs local node loader
Micro-behaviors
suspicious severity, 95% confident.
fs/path/sensitive
NPM registry credentials file
notable severity, 86% confident.
fs/file
Read files (Node.js AST)
notable severity, 90% confident.
process/create
Detached ignored unref spawn
notable severity, 100% confident.
process/create/shell
Executes shell commands synchronously
Metadata
notable severity, 90% confident.
package/fields
Package has TypeScript types entry
execution
notable severity, 90% confident.
script
Script 'postinstall' executes node interpreter
20 of 69 traits shown
Objectives
hostile severity, 96% confident.
command-and-control/dropper/execution
Supply-chain dropper via destructured child_process
hostile severity, 95% confident.
supply-chain/recon-exfil
npm package exfiltrates CI/CD info via HTTP
suspicious severity, 94% confident.
command-and-control/infrastructure
Script writes mapping to system hosts file
suspicious severity, 80% confident.
credential-access/env/secrets
npmrc word reference
suspicious severity, 70% confident.
evasion/hosts-file
Windows hosts file path reference
suspicious severity, 85% confident.
supply-chain/credential-theft
JS uses env HOME for credential access
suspicious severity, 80% confident.
supply-chain/impersonation
Writes to sensitive path
suspicious severity, 96% confident.
supply-chain/install-hook/dropper
Requires then deletes temp JavaScript
notable severity, 90% confident.
credential-access/files
Package registry credential paths
notable severity, 90% confident.
discovery/system/fingerprint
Collects operating system platform
notable severity, 85% confident.
execution/condition
Executes different commands based on OS platform
notable severity, 100% confident.
execution/interpreter/script
npm postinstall hook present
notable severity, 86% confident.
persistence/system/surface
installer package script hook
notable severity, 90% confident.
supply-chain/hidden-payload
Postinstall runs local node loader
Micro-behaviors
suspicious severity, 95% confident.
fs/path/sensitive
NPM registry credentials file
notable severity, 86% confident.
fs/file
Read files (Node.js AST)
notable severity, 90% confident.
process/create
Detached ignored unref spawn
notable severity, 100% confident.
process/create/shell
Executes shell commands synchronously
Metadata
notable severity, 90% confident.
package/fields
Package has TypeScript types entry
execution
notable severity, 90% confident.
script
Script 'postinstall' executes node interpreter
20 of 69 traits shown
Identity
| SHA-256 | cefab95fdea9a19f1c7f76f589d663b428ea3f4f674210ad6dadc43277c67ed9 |
|---|---|
| Filename | @polka-ui-config-9.9.11.tgz |
Origin
| Ecosystem | javascript |
|---|---|
| Domain | npmjs.org |
Timeline
| First seen | 27 May 2026 15:45 UTC |
|---|---|
| Last analyzed | 27 May 2026 15:46 UTC |
Not seeing what you expected? Let us know