MAL-2026-10061
Malicious code in cursed-ecto-d3ab00 (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (49348969de68b56d680a46f67f817053621fa41a5220d8cd0bc1da720e77a5a1) The package has no legitimate functionality (index.js is an empty module) and exists solely to run an install-time attack payload. All four lifecycle hooks (preinstall.js, install.js, postinstall.js, prepare.js) execute the same shell command via child_process.execSync that recursively scans host filesystem paths (/app, /opt, /root, /home, /srv, /data, /var, /etc, /tmp, /flag*, /) for HTB{...} flag patterns, enumerates flag-named files with their contents, captures env, hostname, id, and pwd, base64-encodes the collected data, and exfiltrates it via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint at forward-amber-prairie-ruled.trycloudflare.com. In addition, each lifecycle script fans out HTTP PUT requests to internal hostnames and loopback ports (127.0.0.1:3000/8080/80/5000/4000 and hostnames app, web, frontend, console, ecto, registry, backend, nginx) targeting path /api/modules/ECT-839201 with a crafted ecto_module manifest named PWNED, attempting to register a malicious module on adjacent services reachable from the install environment. Behavior fires unconditionally on npm install.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for cursed-ecto-d3ab00 (npm). Pin to a known-safe version or switch to an alternative.