MAL-2026-5688

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecto-nightly-spirit/MAL-2026-5688.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5688

Aliases

GHSA-qv45-fm3m-pqmr

Published

2026-06-12T14:32:51Z

Modified

2026-06-12T20:01:50.199785995Z

Summary

Malicious code in ecto-nightly-spirit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5dea0702101217f4a918a23191023bbd9e7d3b5478028bb0868341a574526e97)

On npm install, postinstall.js executes unconditionally and performs three installer-harming actions. (1) It enumerates every key/value pair in process.env and scans for HTB{...} flag patterns (postinstall.js:42-45). (2) It reads a hardcoded list of absolute filesystem paths (/flag.txt, /root/flag.txt, /app/flag.txt, etc.) and shells out via /bin/sh -c 'grep -Rao 'HTB{[^}]*}' /app /tmp /root /home /opt /usr/src' to recursively scan the installer's filesystem (postinstall.js:65). (3) It HTTP-PUTs the discovered string (or a NOFLAG uid=... cwd=... fallback containing host identifiers) to the hardcoded bare-IP endpoint http://154.57.164.70:30569/api/modules/ECT-472839 over plain HTTP. Additionally, postinstall.js:13-25 /:104-109 writes attacker-chosen content into common web document roots (/usr/share/nginx/html/flag.txt, /var/www/html/flag.txt, /app/public/flag.txt, etc.), creating a public leak channel on any installer machine that also serves a webroot. Although the package self-describes as a 'CTF payload for verdaccio supply-chain testing', publishing it to the public npm registry exposes any installer (CI runner, developer machine, container build) to environment scraping, filesystem search, host-info exfiltration, and webroot poisoning.

Source: ghsa-malware (6d71f699510b488ccfcbffb3506c7201419f7229c5aa2544aae21845b8c56081)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "GHSA-qv45-fm3m-pqmr",
            "import_time": "2026-06-12T15:23:25.133186403Z",
            "source": "ghsa-malware",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "sha256": "6d71f699510b488ccfcbffb3506c7201419f7229c5aa2544aae21845b8c56081",
            "modified_time": "2026-06-12T14:32:52Z"
        },
        {
            "id": "IN-MAL-2026-005986",
            "import_time": "2026-06-12T19:43:55.157912291Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.5"
            ],
            "sha256": "a146322e53140c4ae05428678abdb4aa63445d44d54fb22c8441ea6e4bf41780",
            "modified_time": "2026-06-12T19:06:38Z"
        },
        {
            "id": "IN-MAL-2026-005984",
            "import_time": "2026-06-12T19:43:54.961357097Z",
            "versions": [
                "1.0.3"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:06:35Z",
            "sha256": "c020480b56e56de6ac244bb4f866ba106f4e644e91f3c62f190074f12861902b"
        },
        {
            "id": "IN-MAL-2026-005985",
            "import_time": "2026-06-12T19:43:55.062088896Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.4"
            ],
            "sha256": "dfbb7f9d0ea910f059715e62ce2bd1ff1df54e496f63b7daa315b00b70399c97",
            "modified_time": "2026-06-12T19:06:36Z"
        },
        {
            "id": "IN-MAL-2026-005987",
            "import_time": "2026-06-12T19:43:55.282393596Z",
            "versions": [
                "1.0.6"
            ],
            "source": "amazon-inspector",
            "sha256": "f3e675ac797649ab735d65818cd6cf8eb0f3225896bd3a242db7287d0637dd9a",
            "modified_time": "2026-06-12T19:06:40Z"
        },
        {
            "id": "IN-MAL-2026-005988",
            "import_time": "2026-06-12T19:43:55.390762507Z",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:06:41Z",
            "sha256": "020cb2bf172547ec06fe446acc4763cb7b7ed0c151ed10c62f252f398ac9692c"
        },
        {
            "id": "IN-MAL-2026-005983",
            "import_time": "2026-06-12T19:43:54.857636691Z",
            "versions": [
                "1.0.1"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:06:33Z",
            "sha256": "5dea0702101217f4a918a23191023bbd9e7d3b5478028bb0868341a574526e97"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ecto-nightly-spirit

Package

Name: ecto-nightly-spirit; View open source insights on deps.dev
Purl: pkg:npm/ecto-nightly-spirit

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.1

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ecto-nightly-spirit/MAL-2026-5688.json"

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "96036713e0f8ec082740dce6d15d56adb8ea3dac313ede0a53d9a28d37297bb8",
            "tlsh": "31a183d043f1682942f2b5b46b5fa10bafa7c8533009fa90f78c06b56f8d46d493669d"
        }
    ]
}