Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in security-node (npm)

security-node

Risk score

92

AI summary

Indexed incident for security-node (npm).

Description

package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On npm install, npm fetches whatever tarball that URL currently serves and installs it as node_modules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's node_modules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.

Technical details

Affected versions

=1.1.4

Indicators

  • affected version=1.1.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents