Note: This report is updated by a verification record

Sentinel-high (9.9.9) dependency-confusion squat of an internal Cardano/DeFi lending pkg. preinstall node index.js || true auto-execs a credential exfil: harvests env secrets (mnemonic/private key/token/blockfrost API key) and POSTs to raw attacker C2 2.25.140.71:8443/surflending/npm-confusion. 2-pkg campaign (flow-lending + surf-lending). c913 + c252.