npm · Malicious package advisory
Malwarecryptoco-auth
MAL-2026-4230
Malicious code in cryptoco-auth (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68) On require(), index.js opens TCP connections to the cloud link-local metadata address 169.254.169.254 across ports 80, 443, 8080, 3000, 5432, and 6379, writing an HTTP probe on each successful connection. The package advertises itself as a crypto authentication library but contains no authentication code — its only runtime behavior is reconnaissance against the AWS/cloud Instance Metadata Service, a well-known precursor to IMDS credential theft on cloud VMs. The package manifest is minimal (no description, author, or repository), and the IP literal is annotated with an Indonesian-language comment explicitly identifying it as the AWS Metadata IP. The lure-style name combined with reconnaissance behavior and absent legitimate functionality is consistent with a malicious package targeting cloud-hosted installers. ## Source: ossf-package-analysis (224727792d7795e1dff1348ad30dad0de77689bf284ac571b7aee280b49b5774) The OpenSSF Package Analysis project identified 'cryptoco-auth' @ 1.0.6 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Compromised versions (9)
- 1.0.6
- 1.0.3
- 1.0.8
- 1.0.0
- 1.0.4
- 1.0.1
- 1.0.7
- 1.0.2
- 1.0.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.