—

MAL-2026-5726

Malicious code in ecto_module (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7e66c690abd94ee498cd359eb076451c0f6ea3956d8221616bbf8990d35a38c5) On `npm install`, the package's preinstall hook (`node index.js`) reads `/flag.txt` (falling back to `execSync('cat /flag*')`) and transmits the captured contents in a JSON `manifest` field via HTTP PUT to a hardcoded endpoint at 127.0.0.1:3000/api/modules/ECT-987654. The package has no legitimate functionality — its description is simply 'Probe', it ships only `index.js` plus `package.json`, and the sole effect of installation is to read an installer-side file and ship it to whatever process is listening on the loopback port. This is a CTF/supply-chain probe payload: filesystem read + shell command execution + outbound HTTP, all auto-fired at install time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ecto_module

No fixed version published yet for ecto_module (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/ecto_module/v/100.0.0 [PACKAGE]