Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in rallycoding (npm)

rallycoding

Risk score

92

AI summary

Indexed incident for rallycoding (npm).

Description

package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On npm install, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.

Technical details

Affected versions

=3.2.0

Indicators

  • affected version=3.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents