Which versions of ecto-corsair-whisper-6f3b9 are malicious?

The following npm versions of ecto-corsair-whisper-6f3b9 are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3. Treat any of these as compromised.

How do I remediate ecto-corsair-whisper-6f3b9 if I installed it?

Remove ecto-corsair-whisper-6f3b9 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ecto-corsair-whisper-6f3b9 part of a known attack campaign?

Yes — ecto-corsair-whisper-6f3b9 is associated with the IN-MAL-2026-005718, IN-MAL-2026-005716, IN-MAL-2026-005720, IN-MAL-2026-005717, IN-MAL-2026-005721, IN-MAL-2026-005719 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ecto-corsair-whisper-6f3b9 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ecto-corsair-whisper-6f3b9 and packages like it before any post-install script runs.

Malicious package

ecto-corsair-whisper-6f3b9npm

Malicious code in ecto-corsair-whisper-6f3b9 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5640

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ecto-corsair-whisper-6f3b9

What this malware does

On npm install, postinstall.js executes a shell-based reconnaissance pass over the installer host: it enumerates process.env, runs find/grep -RaoE 'HTB\{[^}]+\}' across /root, /home, /etc, /var, and similar paths, and runs ps -eo user,pid,cmd via execFileSync('/bin/sh', ['-c',...]) to capture a process listing. The collected flag matches and host diagnostics (uid, hostname, cwd, process list) are then PUT as JSON to the hardcoded bare-IP endpoint http://154.57.164.70:30569/api/modules/ECT-987654. When a gating check (shouldReport() — linux host with hostname starting with scan- or cwd containing /tmp/pkg) is satisfied, postinstall additionally mkdirs and writes the harvested flag/diagnostic content into common web-served directories (/usr/share/nginx/html/flag.txt, /var/www/html/flag.txt, /app/public/flag.txt, etc.), polluting the installer's web roots with attacker-controlled content. The destination is a bare IPv4 on a non-standard port with no relation to any declared publisher; the gating, the secret-pattern grep, and the web-root drop are all consistent with attacker tooling rather than legitimate telemetry.

Malicious versions

4 flagged

1.0.01.0.11.0.21.0.3

Indicators of compromise (SHA-256)

16a40e224921cfaf321cd960d7ef642dc70eef6188751c1fdd56835d9e92cf9d

c4a0788a8447c0cc7ef6abd8bc0726849d50c6238ed90b0642e658f8cc20ead8

d85578fd137cc54fbc2c6e754c37ae144583e70218b0c5a8cfae067913f7bf97

7c87e10b0742e18e2989fabe0b2f60cb66a91a4d3627c906fa4a5b3b8b0e45cc

95eb09ee95ea5d17e74c51b4c20e16845423a6fdf6510e4c5c16599798173711

b1c72eb911f4421cc9dd9163e7b130433eb8d92c6a5b1eb3070bc5e2fe8d9348

Frequently asked questions

No. ecto-corsair-whisper-6f3b9 on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005718IN-MAL-2026-005716IN-MAL-2026-005720IN-MAL-2026-005717IN-MAL-2026-005721IN-MAL-2026-005719

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection