Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in cbr-internal-utils (npm)

cbr-internal-utils

Risk score

92

AI summary

Indexed incident for cbr-internal-utils (npm).

Description

On module load, the package's main entrypoint shells out via child_process.exec to run cat /etc/passwd and prints the contents to stdout. This fires unconditionally when any consumer require()s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.

Technical details

Affected versions

=2.2.2

Indicators

  • affected version=2.2.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents