Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in vps-maintenance (npm)

vps-maintenance

Risk score

92

AI summary

Indexed incident for vps-maintenance (npm).

Description

The package.json postinstall script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns /bin/sh with its stdio piped through the socket. Because npm auto-runs postinstall during npm install, any installer machine that runs npm install vps-maintenance immediately hands an interactive shell to whoever operates that endpoint, yielding arbitrary remote code execution as the installing user. There is no legitimate install-time use for a bare-IP shell bridge — this is a reverse-shell dropper, not a build helper, runtime fetch, or native-addon step. The package name (vps-maintenance) is a cover story; the actual behavior is a backdoor.

Technical details

Affected versions

=0.1.0

Indicators

  • affected version=0.1.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents