—

MAL-2026-4778

Malicious code in 1cat-tunnel-client-zx (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (616be417e8ec33626ef98fe1056bfbd52142e3c44ed4e3158ca5f58ae7cf7331) The package's postinstall hook (`node install.js`) fetches a platform-specific native binary from `http://156.226.174.161:8888/binaries/tunnel-client-*` over plain HTTP, writes it to disk, chmods it 0755, and the package's CLI subsequently spawns it. The URL is unpinned (no version, no hash, no signature), the destination is a bare IP rather than a publisher-owned or known runtime CDN, and the transport is unencrypted. Any on-path attacker, or whoever controls 156.226.174.161, can deliver arbitrary native code to every installer's machine on `npm install`, with no tamper detection. This is the canonical install-time-rce dropper shape: lifecycle-script fetch + non-publisher infrastructure + no TLS + no integrity verification + immediate execution.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / 1cat-tunnel-client-zx

No fixed version published yet for 1cat-tunnel-client-zx (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/1cat-tunnel-client-zx/v/1.0.2 [PACKAGE]