Vulnerability
Malicious code in ecto_module (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7e66c690abd94ee498cd359eb076451c0f6ea3956d8221616bbf8990d35a38c5) On `npm install`, the package's preinstall hook (`node index.js`) reads `/flag.txt` (falling back to `execSync('cat /flag*')`) and transmits the captured contents in a JSON `manifest` field via HTTP PUT to a hardcoded endpoint at 127.0.0.1:3000/api/modules/ECT-987654. The package has no legitimate functionality — its description is simply 'Probe', it ships only `index.js` plus `package.json`, and the sole effect of installation is to read an installer-side file and ship it to whatever process is listening on the loopback port. This is a CTF/supply-chain probe payload: filesystem read + shell command execution + outbound HTTP, all auto-fired at install time.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence