MAL-2026-10742
Malicious code in node-as-api (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (616f74a5722026c25913e644651f1edc57ccb3ca2a6145c1543ff802b3b883b9) On npm install, package.json's postinstall hook runs `node test.js`, which loads index.js and immediately invokes two harvest routines. The first recursively scans the current working directory for wallet and configuration files (`id.json`, `config.toml`, `Config.toml`, `env`, `.env`) and POSTs each file, tagged with the local username, to http://170.205.31.203:3000/api/v1. The second fetches remote-controlled scan patterns from http://170.205.31.203:3001/api/scan-patterns, walks the entire user home directory on Unix or every drive including C:\Users on Windows, and multipart-uploads matching files with username and platform metadata to http://170.205.31.203:3001/api/v1. On Linux, the same routine downloads an attacker-supplied public key from http://170.205.31.203:3001/api/ssh-key, appends it to `$HOME/.ssh/authorized_keys`, and runs `sudo ufw enable` / `sudo ufw allow 22/tcp` to open inbound SSH. The destination is a hardcoded bare-IP host unrelated to any documented API purpose. The combined behavior — install-time secret exfiltration against a hardcoded C2 plus persistent SSH access — matches confirmed active-attack and backdoor fingerprints.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for node-as-api (npm). Pin to a known-safe version or switch to an alternative.