npm · Malicious package advisory
Malwarecdk-insights
MAL-2026-4508
Malicious code in cdk-insights (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89) The package contains code in dist/entry.js and dist/index.js that invokes `npm publish` programmatically combined with `writeFileSync` operations — the canonical wormable auto-publication pattern (enumerate maintainer's other packages, rewrite their package.json, republish under the installer's npm credentials). Additionally, dist/aspects/CdkInsightsAspect.js, dist/entry.js, and dist/index.js contain multiple HTTP POST sinks consistent with hardcoded C2 / data-exfiltration endpoints, and CdkInsightsAspect.js contains `ping`-based network reconnaissance. The combination of wormable self-propagation infrastructure plus exfiltration POST endpoints in install/import-reachable code is unambiguous supply-chain attack shape: any developer or CI system installing this package risks (a) having installer-side data POSTed to attacker-controlled endpoints and (b) having their npm credentials abused to republish malicious versions of their other packages.
Compromised versions (2)
- 1.41.2
- 1.42.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.