Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in elsisi-cli (npm)

elsisi-cli

Risk score

92

AI summary

Indexed incident for elsisi-cli (npm).

Description

package.json declares preinstall and postinstall lifecycle scripts that invoke wget against https://webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/, passing the installer's current working directory and hostname as query-string parameters ($(pwd), $(hostname)). Both beacons fire automatically on npm install. The tarball ships only package.json (371 bytes); the declared main entry index.js is absent and no source, README, or functionality accompanies the lifecycle hooks, so the package's only effect on install is the outbound beacon to the attacker-controlled webhook.site collector.

Technical details

Affected versions

=9.9.9

Indicators

  • affected version=9.9.975%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents