VYPR

npm · Malicious package advisory

Malware

cbr-internal-utils

MAL-2026-10530

Malicious code in cbr-internal-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7)
On module load, the package's main entrypoint shells out via child_process.exec to run `cat /etc/passwd` and prints the contents to stdout. This fires unconditionally when any consumer `require()`s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.

Compromised versions (1)

  • 2.2.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.