npm · Malicious package advisory
Malwareecto-flag-read-m7p2
MAL-2026-5687
Malicious code in ecto-flag-read-m7p2 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8fb2ef2851c6365e6198a67c4d395a1f3e7ca634559651063ce2e3b68a610cd3)
The package's postinstall.js imports child_process and references HTTP GET calls and hostname lookups during the install lifecycle. The co-occurrence of these primitives in an install-time script is a known shape for both legitimate behavior (CTF/flag-read demos, hostname reporting, telemetry) and exfiltration/dropper attacks, but the available evidence does not show the destination URL, the data being sent, or whether fetched content is executed. The package name ("ecto-flag-read") and small file count are consistent with a CTF or test artifact rather than a recognized library, but intent cannot be confirmed from the current evidence alone. A human reviewer should inspect postinstall.js to determine whether it exfiltrates installer data or executes remote content before this version is allowed in production installs.
## Source: ghsa-malware (47c876fa0bc683b97fe06619068fb4b205e5813e95917d8cd6d9df7a732b1499)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.