ecto-win-flag-q2m7 @1.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5692
Ecosystem
npm
Summary
On npm install , postinstall.js executes a harvest-and-exfiltrate chain against the installer's machine. It reads files under /app, /root, and /flag.txt, shells out via execFileSync('/bin/sh', ['-c',...]) to recursively grep the filesystem for HTB{...} flag patterns and collect git history, gathers host identifiers (uid, cwd, hostname), and transmits the collected data via HTTP PUT to a hardcoded attacker endpoint at http://154.57.164.82:31250/api/modules/ECT-*. The script includes sandbox-evasion gating that exits cleanly when cwd contains /tmp/npm-safe or /tmp/pkg , or when hostname matches nijin , hetzner , or ec2.internal — ensuring the malicious path only fires on real installer machines. The combination of unconditional filesystem read, hardcoded non-registry IP destination, and scanner-evasion logic is an unambiguous supply-chain attack.
Source: amazon-inspector (a6344042aff547b32cf30bc456be25e1229f921217ec0d6777f470174df10792)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.