Vulnerability
Malicious code in cdk-insights (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89) The package contains code in dist/entry.js and dist/index.js that invokes `npm publish` programmatically combined with `writeFileSync` operations — the canonical wormable auto-publication pattern (enumerate maintainer's other packages, rewrite their package.json, republish under the installer's npm credentials). Additionally, dist/aspects/CdkInsightsAspect.js, dist/entry.js, and dist/index.js contain multiple HTTP POST sinks consistent with hardcoded C2 / data-exfiltration endpoints, and CdkInsightsAspect.js contains `ping`-based network reconnaissance. The combination of wormable self-propagation infrastructure plus exfiltration POST endpoints in install/import-reachable code is unambiguous supply-chain attack shape: any developer or CI system installing this package risks (a) having installer-side data POSTed to attacker-controlled endpoints and (b) having their npm credentials abused to republish malicious versions of their other packages.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence