ecto-flag-read-m7p2 @1.0.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-5687
Ecosystem
npm
Summary
The package's postinstall.js imports child_process and references HTTP GET calls and hostname lookups during the install lifecycle. The co-occurrence of these primitives in an install-time script is a known shape for both legitimate behavior (CTF/flag-read demos, hostname reporting, telemetry) and exfiltration/dropper attacks, but the available evidence does not show the destination URL, the data being sent, or whether fetched content is executed. The package name ("ecto-flag-read") and small file count are consistent with a CTF or test artifact rather than a recognized library, but intent cannot be confirmed from the current evidence alone. A human reviewer should inspect postinstall.js to determine whether it exfiltrates installer data or executes remote content before this version is allowed in production installs.
Source: amazon-inspector (8fb2ef2851c6365e6198a67c4d395a1f3e7ca634559651063ce2e3b68a610cd3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.