Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10061: Malicious code in cursed-ecto-d3ab00 (npm)

0
Critical
Published: 07/09/2026 (07/09/2026, 15:54:19 UTC)
Source: GCVE Database
Product: cursed-ecto-d3ab00

Description

The npm package cursed-ecto-d3ab00 contains malicious code that executes during installation. It runs lifecycle scripts that scan the host filesystem for specific flag patterns, collects sensitive environment and system information, encodes it, and exfiltrates the data to a hardcoded external endpoint. Additionally, it attempts to propagate by sending crafted requests to internal services to register a malicious module. The package has no legitimate functionality and installing it results in a full compromise of the host system.

Affected software

npmghsa
cursed-ecto-d3ab00
Affected versions
=1.0.1=2.0.1=2.0.0=1.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 09:29:57 UTC

Technical Analysis

The cursed-ecto-d3ab00 npm package is a malicious package designed to execute an install-time attack payload. Its lifecycle scripts (preinstall.js, install.js, postinstall.js, prepare.js) run a shell command that recursively scans multiple host filesystem paths for HTB{...} flag patterns, enumerates matching files and their contents, and collects environment variables, hostname, user ID, and present working directory. This collected data is base64-encoded and exfiltrated via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint. Furthermore, the scripts send HTTP PUT requests to various internal hostnames and loopback ports targeting an API endpoint to register a malicious module named PWNED on adjacent services. This behavior triggers unconditionally on npm install. The package itself contains no legitimate code (index.js is empty) and exists solely to compromise the host.

Potential Impact

Any system that installs this package is considered fully compromised. The attacker gains access to sensitive environment data, system identifiers, and potentially secrets stored on the host. The malicious code also attempts lateral movement by targeting internal services to register malicious modules, increasing the scope of compromise. Because the package runs code during installation, simply having it installed or running can lead to full system compromise. Secrets and keys on the affected system should be considered exposed and rotated immediately.

Mitigation Recommendations

There is no official patch or fix available for this malicious package. The package should be removed immediately if found installed. Systems that have installed this package should be treated as fully compromised; all secrets and keys must be rotated from a separate, trusted environment. Due to the nature of the compromise, full system reimaging or restoration from a known good backup is recommended. Avoid installing untrusted or suspicious npm packages, and verify package legitimacy before use.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10061
Osv Schema Version
1.7.4
Aliases
["GHSA-9x5f-jcqq-j88c"]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a50ba3268715ace4357d255

Added to database: 07/10/2026, 09:24:02 UTC

Last enriched: 07/10/2026, 09:29:57 UTC

Last updated: 07/10/2026, 09:29:57 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses