VYPR

npm · Malicious package advisory

Malware

cdk-insights

MAL-2026-4508

Malicious code in cdk-insights (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89)
The package contains code in dist/entry.js and dist/index.js that invokes `npm publish` programmatically combined with `writeFileSync` operations — the canonical wormable auto-publication pattern (enumerate maintainer's other packages, rewrite their package.json, republish under the installer's npm credentials). Additionally, dist/aspects/CdkInsightsAspect.js, dist/entry.js, and dist/index.js contain multiple HTTP POST sinks consistent with hardcoded C2 / data-exfiltration endpoints, and CdkInsightsAspect.js contains `ping`-based network reconnaissance. The combination of wormable self-propagation infrastructure plus exfiltration POST endpoints in install/import-reachable code is unambiguous supply-chain attack shape: any developer or CI system installing this package risks (a) having installer-side data POSTed to attacker-controlled endpoints and (b) having their npm credentials abused to republish malicious versions of their other packages.

Compromised versions (2)

  • 1.41.2
  • 1.42.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.