VYPR

npm · Malicious package advisory

Malware

cryptoco-auth

MAL-2026-4230

Malicious code in cryptoco-auth (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68)
On require(), index.js opens TCP connections to the cloud link-local metadata address 169.254.169.254 across ports 80, 443, 8080, 3000, 5432, and 6379, writing an HTTP probe on each successful connection. The package advertises itself as a crypto authentication library but contains no authentication code — its only runtime behavior is reconnaissance against the AWS/cloud Instance Metadata Service, a well-known precursor to IMDS credential theft on cloud VMs. The package manifest is minimal (no description, author, or repository), and the IP literal is annotated with an Indonesian-language comment explicitly identifying it as the AWS Metadata IP. The lure-style name combined with reconnaissance behavior and absent legitimate functionality is consistent with a malicious package targeting cloud-hosted installers.

## Source: ossf-package-analysis (224727792d7795e1dff1348ad30dad0de77689bf284ac571b7aee280b49b5774)
The OpenSSF Package Analysis project identified 'cryptoco-auth' @ 1.0.6 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (9)

  • 1.0.6
  • 1.0.3
  • 1.0.8
  • 1.0.0
  • 1.0.4
  • 1.0.1
  • 1.0.7
  • 1.0.2
  • 1.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.