VERY IMPORTANT

A malicious npm package named "ambar-src" reached 50,000 downloads in days before being removed from the registry. It uses a preinstall script to execute malicious code during installation, targeting Windows, Linux, and macOS systems. The package employs detection evasion techniques and deploys powerful open-source malware variants. It abuses npm's preinstall script hook to trigger the payload without explicit invocation. The malware fetches additional payloads from remote servers and uses Yandex Cloud for command and control. Affected systems should be considered fully compromised, requiring immediate incident response actions. The attack highlights the speed at which supply chain risks can propagate and confirms that npm install is a high-risk action.