ecto_module @100.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5726
Ecosystem
npm
Summary
On npm install , the package's preinstall hook ( node index.js ) reads /flag.txt (falling back to execSync('cat /flag*') ) and transmits the captured contents in a JSON manifest field via HTTP PUT to a hardcoded endpoint at 127.0.0.1:3000/api/modules/ECT-987654. The package has no legitimate functionality — its description is simply 'Probe', it ships only index.js plus package.json , and the sole effect of installation is to read an installer-side file and ship it to whatever process is listening on the loopback port. This is a CTF/supply-chain probe payload: filesystem read + shell command execution + outbound HTTP, all auto-fired at install time.
Source: amazon-inspector (7e66c690abd94ee498cd359eb076451c0f6ea3956d8221616bbf8990d35a38c5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.