Vulnerability
Malicious code in ect-472839 (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (97e7438d5379376c2214a33c66ded547741bb4b4fd94a5a936859ed6c4bd68de) On `npm install`, the package's lifecycle script (index.js lines 7-19) reads `/flag.txt` from the installer's host (falling back to `cat /flag*`) and PUTs the file contents in a JSON payload to a hardcoded endpoint at `http://127.0.0.1:3000/api/modules/ECT-987654`. The package.json declares `name: ect-472839`, `version: 100.0.1`, `description: "Probe"`, and an empty `author` — the classic dependency-confusion probe fingerprint (high version number, throwaway metadata, no advertised functionality). The package has no legitimate purpose: its sole install-time effect is to read a CTF-style filesystem artifact and ship it to a service on the loopback interface. Although the destination is 127.0.0.1, on a host where some local service is bound to:3000 (or a dependency-confusion attack target where the attacker is running such a service), the file contents are exfiltrated. This is a malicious supply-chain probe, not a utility library.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence