cursed-ecto-d3ab00 @2.0.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10061
Ecosystem
npm
Summary
The package has no legitimate functionality (index.js is an empty module) and exists solely to run an install-time attack payload. All four lifecycle hooks (preinstall.js, install.js, postinstall.js, prepare.js) execute the same shell command via child_process.execSync that recursively scans host filesystem paths (/app, /opt, /root, /home, /srv, /data, /var, /etc, /tmp, /flag*, /) for HTB{...} flag patterns, enumerates flag-named files with their contents, captures env, hostname, id, and pwd, base64-encodes the collected data, and exfiltrates it via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint at forward-amber-prairie-ruled.trycloudflare.com. In addition, each lifecycle script fans out HTTP PUT requests to internal hostnames and loopback ports (127.0.0.1:3000/8080/80/5000/4000 and hostnames app, web, frontend, console, ecto, registry, backend, nginx) targeting path /api/modules/ECT-839201 with a crafted ecto_module manifest named PWNED, attempting to register a malicious module on adjacent services reachable from the install environment. Behavior fires unconditionally on npm install.
Source: amazon-inspector (49348969de68b56d680a46f67f817053621fa41a5220d8cd0bc1da720e77a5a1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.