npm · Malicious package advisory
Malwarecursed-modules
MAL-2026-6698
Malicious code in cursed-modules (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (45b6aab954f9b8edbc759c97eabe39d7a070c4dbe852586422761ad0f8c7ad95) cursed-modules@999.0.9 executes attacker-controlled code on three separate triggers and operates a bidirectional command channel against a hardcoded bare-IP C2 at 154.57.164.70. 1) Install-time exfiltration: package.json wires preinstall, install, and postinstall all to `node install.js`. install.js reads /flag, /flag.txt, /app/flag.txt, /root/flag.txt, environment variables (including FLAG/HTB_FLAG), runs `id` and `hostname`, greps the filesystem for CTF flag patterns, serializes process.env, base64-encodes the payload wrapped in a fake `ecto_module` YAML manifest, and HTTP PUTs it to 154.57.164.70:31682/api/modules/ECT-987654. 2) Require-time AWS credential theft: index.js (the declared `main`) runs an IIFE on require that, when the hostname matches a Docker container ID pattern, invokes `aws sts get-caller-identity`, fetches IAM credentials from the IMDS endpoint http://169.254.169.254/latest/meta-data/iam/security-credentials/, lists Secrets Manager secrets, reads /home/node sources and flag files, dumps process.env, and PUTs the base64-encoded result to 154.57.164.70:32447/api/modules/ECT-654321. 3) Broader recon: recon.js reads /root/.npmrc, /home/user/.npmrc, project package.json/lock files, verdaccio configs, htpasswd files, cron jobs, and supervisord configs, then PUTs the data (with a curl fallback) to 154.57.164.70:30728/api/modules/ECT-654321 — directly harvesting npm registry tokens and private-registry credentials. 4) Backdoor: rce.sh PUTs an arbitrary shell command to 154.57.164.70:32447 under module slot ECT-654321 and GETs the base64 command output from slot ECT-987654, completing a request/response command relay over the same C2. The package self-identifies (publish-and-arm.sh, install.js manifest) as a deliberate dependency-confusion attack against verdaccio proxies; the 999.0.9 version is consistent with that pattern. Three independent lifecycle hooks plus a require-time IIFE guarantee the payload fires on default `npm install` and on any consumption of the module. ## Source: ossf-package-analysis (0dade1c70e7e7f58c8f791931e5fe7cf7c40b68358173ed097b7dca6a4f4041d) The OpenSSF Package Analysis project identified 'cursed-modules' @ 999.0.0 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Compromised versions (19)
- 999.0.0
- 999.0.3
- 999.0.1
- 999.0.2
- 2.0.0
- 999.0.6
- 1.0.5
- 999.0.8
- 1.0.6
- 1.0.7
- 1.0.1
- 999.0.5
- 1.0.4
- 999.1.1
- 999.1.2
- 999.0.7
- 999.0.4
- 999.0.9
- 999.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.