Which versions of ecto_module are malicious?

The following npm versions of ecto_module are flagged malicious: 100.0.0. Treat any of these as compromised.

How do I remediate ecto_module if I installed it?

Remove ecto_module from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ecto_module part of a known attack campaign?

Yes — ecto_module is associated with the IN-MAL-2026-006280, IN-MAL-2026-006279 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ecto_module in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ecto_module and packages like it before any post-install script runs.

Malicious package

ecto_modulenpm

Malicious code in ecto_module (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5726

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ecto_module

What this malware does

On npm install, the package's preinstall hook (node index.js) reads /flag.txt (falling back to execSync('cat /flag*')) and transmits the captured contents in a JSON manifest field via HTTP PUT to a hardcoded endpoint at 127.0.0.1:3000/api/modules/ECT-987654. The package has no legitimate functionality — its description is simply 'Probe', it ships only index.js plus package.json, and the sole effect of installation is to read an installer-side file and ship it to whatever process is listening on the loopback port. This is a CTF/supply-chain probe payload: filesystem read + shell command execution + outbound HTTP, all auto-fired at install time.

Malicious versions

1 flagged

100.0.0

Indicators of compromise (SHA-256)

581a4f4b080d517bbbebca62de5ce3f08b1bed05b57622132799f61b26389076

7e66c690abd94ee498cd359eb076451c0f6ea3956d8221616bbf8990d35a38c5

Frequently asked questions

No. ecto_module on npm has been identified as a malicious package (version 100.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006280IN-MAL-2026-006279

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection