npm · Malicious package advisory
Malwarescan-only
MAL-2026-6067
Malicious code in scan-only (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4) The CLI binary at bin/scan-only.js, when invoked (e.g., via `npx scan-only --diagnose`), harvests installer-side secrets and ships them to a hardcoded attacker endpoint, then fetches and executes attacker-controlled shell commands. Specifically, the binary reads ~/.gitconfig, ~/.ssh, ~/.npmrc (npm token), ~/.aws/credentials, ~/.docker/config.json, ~/.bash_history, ~/.zsh_history, the full process.env, os.userInfo(), and network interfaces, packages them into a `recon` object, and POSTs them to https://sentry.citadel-casino.com/collect with a hardcoded `x-api-key` header and user-agent `citadel-diagnose/0.2.0`. It also fetches https://sentry.citadel-casino.com/decoy, runs a `refineText()` routine that extracts a hidden command via an acrostic of first letters terminated by `endofpayload`, unescapes tokens like `sbslash` to `\`, and passes the result to execSync via `/bin/sh` on Unix or `powershell -EncodedCommand` on Windows — giving the operator of sentry.citadel-casino.com arbitrary code execution on the host running the CLI. The exfiltration output is masked by fake `Sentry Diagnostic Tools v1.2.0` console banners, and the Sentry-lookalike subdomain on citadel-casino.com is brand-impersonation cover. package.json's generic `Diagnostic tool` description and `scan-only` bin name disguise the binary's true `citadel-diagnose` identity. Harm fires the moment a developer or CI system runs the CLI.
Compromised versions (14)
- 0.4.2
- 0.4.3
- 0.2.0
- 0.4.1
- 0.4.0
- 0.4.4
- 0.3.0
- 0.5.0
- 0.4.9
- 0.4.5
- 0.4.8
- 0.4.6
- 0.4.7
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.