Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in cursed-modules (npm)

cursed-modules

Risk score

92

AI summary

Indexed incident for cursed-modules (npm).

Description

Package version 999.0.3 (an extremely high version number consistent with a dependency-confusion attack against an internal package name) ships install-time and require-time credential theft directed at a hardcoded attacker endpoint. package.json declares all three lifecycle hooks (preinstall, install, postinstall) as node install.js. install.js reads /root/.ssh/id_rsa, id_ed25519, authorized_keys, known_hosts, ssh config, /root/.npmrc, /app/.git/config + git history, and the full process.env, base64-encodes the bundle and PUTs it to http://154.57.164.82:30843/api/modules/ECT-839201. index.js (the package main) runs a top-level IIFE on require() that dumps process.env, runs aws sts get-caller-identity, queries the AWS instance metadata service at http://169.254.169.254/latest/meta-data/iam/security-credentials/, and runs aws secretsmanager list-secrets, PUTing the results to the same attacker IP at path /api/modules/ECT-654321. recon.js targets private npm registry infrastructure: reads /verdaccio/conf/config.yaml, finds and reads Verdaccio htpasswd files, /root/.npmrc and /home/user/.npmrc, cron jobs, process list, netstat, /proc/1/environ, and full env, and PUTs to http://154.57.164.76:30728/api/modules/ECT-654321 (with a curl shell fallback). Both install.js and index.js gate execution on /^[0-9a-f]{12}$/.test(os.hostname()) — a Docker container ID regex — so the payload only fires inside containerized CI/CD environments and stays dormant on researcher sandboxes and developer laptops. publish-and-arm.sh labels the package manifest with ship_deck: "dependency-confusion" and cargo_hold: "verdaccio-proxy", confirming the package's purpose is to shadow an internal name on the public registry and harvest the victim's private registry credentials for follow-on attacks.

The OpenSSF Package Analysis project identified 'cursed-modules' @ 999.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.

Technical details

Affected versions

=999.0.0=999.0.3=999.0.1=999.0.2=2.0.0

Indicators

  • affected version=999.0.075%
  • affected version=999.0.375%
  • affected version=999.0.175%
  • affected version=999.0.275%
  • affected version=2.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents