registry  /  cursed-ecto-d3ab00  /  2.0.1

cursed-ecto-d3ab00@2.0.1

ecto module

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10061 confirms this npm version as malicious. The package has no legitimate functionality (index.js is an empty module) and exists solely to run an install-time attack payload. All four lifecycle hooks (preinstall.js, install.js, postinstall.js, prepare.js) execute the same shell command via child_process.execSync that recursively scans host filesystem paths (/app, /opt, /root, /home, /srv, /data, /var, /etc, /tmp, /flag*, /) for HTB{...} flag patterns,...

Advisory
MAL-2026-10061
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cursed-ecto-d3ab00 (npm)
Details
The package has no legitimate functionality (index.js is an empty module) and exists solely to run an install-time attack payload. All four lifecycle hooks (preinstall.js, install.js, postinstall.js, prepare.js) execute the same shell command via child_process.execSync that recursively scans host filesystem paths (/app, /opt, /root, /home, /srv, /data, /var, /etc, /tmp, /flag*, /) for HTB{...} flag patterns, enumerates flag-named files with their contents, captures env, hostname, id, and pwd, base64-encodes the collected data, and exfiltrates it via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint at forward-amber-prairie-ruled.trycloudflare.com. In addition, each lifecycle script fans out HTTP PUT requests to internal hostnames and loopback ports (127.0.0.1:3000/8080/80/5000/4000 and hostnames app, web, frontend, console, ecto, registry, backend, nginx) targeting path /api/modules/ECT-839201 with a crafted ecto_module manifest named PWNED, attempting to register a malicious module on adjacent services reachable from the install environment. Behavior fires unconditionally on npm install.
Decision reason
OpenSSF Malicious Packages via OSV confirms cursed-ecto-d3ab00@2.0.1 as malicious (MAL-2026-10061): Malicious code in cursed-ecto-d3ab00 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory