MAL-2026-10061: Malicious code in cursed-ecto-d3ab00 (npm)
The npm package cursed-ecto-d3ab00 contains malicious code that executes during installation. It runs lifecycle scripts that scan the host filesystem for specific flag patterns, collects sensitive environment and system information, encodes it, and exfiltrates the data to a hardcoded external endpoint. Additionally, it attempts to propagate by sending crafted requests to internal services to register a malicious module. The package has no legitimate functionality and installing it results in a full compromise of the host system.
AI Analysis
Technical Summary
The cursed-ecto-d3ab00 npm package is a malicious package designed to execute an install-time attack payload. Its lifecycle scripts (preinstall.js, install.js, postinstall.js, prepare.js) run a shell command that recursively scans multiple host filesystem paths for HTB{...} flag patterns, enumerates matching files and their contents, and collects environment variables, hostname, user ID, and present working directory. This collected data is base64-encoded and exfiltrated via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint. Furthermore, the scripts send HTTP PUT requests to various internal hostnames and loopback ports targeting an API endpoint to register a malicious module named PWNED on adjacent services. This behavior triggers unconditionally on npm install. The package itself contains no legitimate code (index.js is empty) and exists solely to compromise the host.
Potential Impact
Any system that installs this package is considered fully compromised. The attacker gains access to sensitive environment data, system identifiers, and potentially secrets stored on the host. The malicious code also attempts lateral movement by targeting internal services to register malicious modules, increasing the scope of compromise. Because the package runs code during installation, simply having it installed or running can lead to full system compromise. Secrets and keys on the affected system should be considered exposed and rotated immediately.
Mitigation Recommendations
There is no official patch or fix available for this malicious package. The package should be removed immediately if found installed. Systems that have installed this package should be treated as fully compromised; all secrets and keys must be rotated from a separate, trusted environment. Due to the nature of the compromise, full system reimaging or restoration from a known good backup is recommended. Avoid installing untrusted or suspicious npm packages, and verify package legitimacy before use.
MAL-2026-10061: Malicious code in cursed-ecto-d3ab00 (npm)
Description
The npm package cursed-ecto-d3ab00 contains malicious code that executes during installation. It runs lifecycle scripts that scan the host filesystem for specific flag patterns, collects sensitive environment and system information, encodes it, and exfiltrates the data to a hardcoded external endpoint. Additionally, it attempts to propagate by sending crafted requests to internal services to register a malicious module. The package has no legitimate functionality and installing it results in a full compromise of the host system.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The cursed-ecto-d3ab00 npm package is a malicious package designed to execute an install-time attack payload. Its lifecycle scripts (preinstall.js, install.js, postinstall.js, prepare.js) run a shell command that recursively scans multiple host filesystem paths for HTB{...} flag patterns, enumerates matching files and their contents, and collects environment variables, hostname, user ID, and present working directory. This collected data is base64-encoded and exfiltrated via HTTPS GET to a hardcoded Cloudflare quick-tunnel endpoint. Furthermore, the scripts send HTTP PUT requests to various internal hostnames and loopback ports targeting an API endpoint to register a malicious module named PWNED on adjacent services. This behavior triggers unconditionally on npm install. The package itself contains no legitimate code (index.js is empty) and exists solely to compromise the host.
Potential Impact
Any system that installs this package is considered fully compromised. The attacker gains access to sensitive environment data, system identifiers, and potentially secrets stored on the host. The malicious code also attempts lateral movement by targeting internal services to register malicious modules, increasing the scope of compromise. Because the package runs code during installation, simply having it installed or running can lead to full system compromise. Secrets and keys on the affected system should be considered exposed and rotated immediately.
Mitigation Recommendations
There is no official patch or fix available for this malicious package. The package should be removed immediately if found installed. Systems that have installed this package should be treated as fully compromised; all secrets and keys must be rotated from a separate, trusted environment. Due to the nature of the compromise, full system reimaging or restoration from a known good backup is recommended. Avoid installing untrusted or suspicious npm packages, and verify package legitimacy before use.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10061
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-9x5f-jcqq-j88c"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba3268715ace4357d255
Added to database: 07/10/2026, 09:24:02 UTC
Last enriched: 07/10/2026, 09:29:57 UTC
Last updated: 07/10/2026, 09:29:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.