scan-onlynpm

The CLI binary at bin/scan-only.js, when invoked (e.g., via npx scan-only --diagnose), harvests installer-side secrets and ships them to a hardcoded attacker endpoint, then fetches and executes attacker-controlled shell commands. Specifically, the binary reads ~/.gitconfig, ~/.ssh, ~/.npmrc (npm token), ~/.aws/credentials, ~/.docker/config.json, ~/.bash_history, ~/.zsh_history, the full process.env, os.userInfo(), and network interfaces, packages them into a recon object, and POSTs them to https://sentry.citadel-casino.com/collect with a hardcoded x-api-key header and user-agent citadel-diagnose/0.2.0. It also fetches https://sentry.citadel-casino.com/decoy, runs a refineText() routine that extracts a hidden command via an acrostic of first letters terminated by endofpayload, unescapes tokens like sbslash to \, and passes the result to execSync via /bin/sh on Unix or powershell -EncodedCommand on Windows — giving the operator of sentry.citadel-casino.com arbitrary code execution on the host running the CLI. The exfiltration output is masked by fake Sentry Diagnostic Tools v1.2.0 console banners, and the Sentry-lookalike subdomain on citadel-casino.com is brand-impersonation cover. package.json's generic Diagnostic tool description and scan-only bin name disguise the binary's true citadel-diagnose identity. Harm fires the moment a developer or CI system runs the CLI.