npm · Malicious package advisory
Malwareripshakti1
MAL-2026-6674
Malicious code in ripshakti1 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (764edbf390c427ef99a9d9164034b966fbac251f00240bbb219825c0c92422a6) package.json declares a preinstall lifecycle hook (`node index.js`) that auto-executes on `npm install`. index.js queries the AWS EC2 instance metadata service (IMDSv2 and v1) at 169.254.169.254 for IAM role credentials, instance identity, user-data, and network/host metadata, queries the ECS task credentials endpoint at 169.254.170.2, and filters process.env for keys matching secret-shaped patterns (key, secret, token, pass, auth, cred, api, aws, database, db_, mongo, redis, s3, sqs, sns, lambda, role). Each payload is base64-encoded and exfiltrated via HTTPS GET to the attacker-controlled Burp Collaborator subdomain a2de2lw03amqkgbex432znqb72du1kp9.oastify.com. This auto-fires on every install, including transitive installs and CI runners. ## Source: ossf-package-analysis (99eb23386bdacc07b7fb8da75fb4a04c93d247e322b4aec2685b1270056683bf) The OpenSSF Package Analysis project identified 'ripshakti1' @ 81.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 81.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.