VYPR

npm · Malicious package advisory

Malware

ripshakti1

MAL-2026-6674

Malicious code in ripshakti1 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (764edbf390c427ef99a9d9164034b966fbac251f00240bbb219825c0c92422a6)
package.json declares a preinstall lifecycle hook (`node index.js`) that auto-executes on `npm install`. index.js queries the AWS EC2 instance metadata service (IMDSv2 and v1) at 169.254.169.254 for IAM role credentials, instance identity, user-data, and network/host metadata, queries the ECS task credentials endpoint at 169.254.170.2, and filters process.env for keys matching secret-shaped patterns (key, secret, token, pass, auth, cred, api, aws, database, db_, mongo, redis, s3, sqs, sns, lambda, role). Each payload is base64-encoded and exfiltrated via HTTPS GET to the attacker-controlled Burp Collaborator subdomain a2de2lw03amqkgbex432znqb72du1kp9.oastify.com. This auto-fires on every install, including transitive installs and CI runners.

## Source: ossf-package-analysis (99eb23386bdacc07b7fb8da75fb4a04c93d247e322b4aec2685b1270056683bf)
The OpenSSF Package Analysis project identified 'ripshakti1' @ 81.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (1)

  • 81.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.