cursed-modules @999.1.2
Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC
OSV ID
MAL-2026-6698
Ecosystem
npm
Summary
cursed-modules@999.0.9 executes attacker-controlled code on three separate triggers and operates a bidirectional command channel against a hardcoded bare-IP C2 at 154.57.164.70.
1) Install-time exfiltration: package.json wires preinstall, install, and postinstall all to node install.js . install.js reads /flag, /flag.txt, /app/flag.txt, /root/flag.txt, environment variables (including FLAG/HTB_FLAG), runs id and hostname , greps the filesystem for CTF flag patterns, serializes process.env, base64-encodes the payload wrapped in a fake ecto_module YAML manifest, and HTTP PUTs it to 154.57.164.70:31682/api/modules/ECT-987654.
2) Require-time AWS credential theft: index.js (the declared main ) runs an IIFE on require that, when the hostname matches a Docker container ID pattern, invokes aws sts get-caller-identity , fetches IAM credentials from the IMDS endpoint http://169.254.169.254/latest/meta-data/iam/security-credentials/, lists Secrets Manager secrets, reads /home/node sources and flag files, dumps process.env, and PUTs the base64-encoded result to 154.57.164.70:32447/api/modules/ECT-654321.
3) Broader recon: recon.js reads /root/.npmrc, /home/user/.npmrc, project package.json/lock files, verdaccio configs, htpasswd files, cron jobs, and supervisord configs, then PUTs the data (with a curl fallback) to 154.57.164.70:30728/api/modules/ECT-654321 — directly harvesting npm registry tokens and private-registry credentials.
4) Backdoor: rce.sh PUTs an arbitrary shell command to 154.57.164.70:32447 under module slot ECT-654321 and GETs the base64 command output from slot ECT-987654, completing a request/response command relay over the same C2.
The package self-identifies (publish-and-arm.sh, install.js manifest) as a deliberate dependency-confusion attack against verdaccio proxies; the 999.0.9 version is consistent with that pattern. Three independent lifecycle hooks plus a require-time IIFE guarantee the payload fires on default npm install and on any consumption of the module.
Source: amazon-inspector (45b6aab954f9b8edbc759c97eabe39d7a070c4dbe852586422761ad0f8c7ad95)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.