⛔ Malware Technique Advisory Detected 2026-06-30 · 23:20 UTC
Confirmed malicious. codelake independently detected this at 2026-06-30 · 23:20 UTC — OSV documented the specimen ~2.7h earlier (MAL-2026-6698, 20:38 UTC); codelake independently detected and classified it at 23:20 UTC through continuous automated scanning of the npm feed — without reference to any prior advisory.. Also documented publicly: MAL-2026-6698 (OSV (specimen), 2026-06-30 20:38 UTC), MAL-2026-5682 (OSV (coral-wraith campaign), 2026-06-12).
Advisory · CLR-2026-2989

Anatomy of an npm registry-hijack: /etc/hosts redirection and publish-token theft

A supply-chain technique that redirects a victim's npm registry to an attacker-controlled host via /etc/hosts, harvests the npm _authToken, and enables silent package substitution — the "coral-wraith" pattern. codelake's scanner independently detected and classified the specimen from the live npm feed. Note: the specimen analysed here (cursed-modules) is a CTF/red-team reproduction of the technique; the underlying campaign it mirrors is real and documented.

CriticalRegistry hijackTechnique dissectionCTF reproduction specimenAI + IOC verified
Summary

This advisory dissects a high-impact npm supply-chain technique known as coral-wraith: on install, the malware rewrites /etc/hosts to point the npm registry hostname at an attacker-controlled IP, then harvests the developer's npm _authToken and exfiltrates it. With the registry redirected and the token stolen, the attacker can perform package substitution — serving malicious versions of packages the victim installs, and pushing malicious releases under the victim's own account.

codelake detected and classified the specimen automatically from the live npm feed and preserved the artifact. In the interest of accuracy, we note that this specific specimen — cursed-modules — carries hallmarks of a CTF / red-team reproduction (a HackTheBox-style .htb C2 hostname, "flag" exfiltration, and a publish-and-arm.sh tooling script). It faithfully reproduces the technique of the real, in-the-wild coral-wraith campaign (OSV MAL-2026-5682, which OSV summarises as: "any computer that has this package installed should be considered fully compromised"). We publish it as a technique breakdown, not as a claim of a novel live campaign.

How codelake detected it

The finding was produced entirely by codelake's automated pipeline, with no reliance on any external advisory:

1 · Continuous ingestion. Every newly published npm version is pulled from the registry feed and archived within seconds of publication — so the working artifact is captured before a fast-removed package can disappear (npm has since replaced this package with an empty 0.0.1-security tombstone; codelake retains the original).

2 · Multi-tool static scan. A behavioural detector, a secret scanner, and a deobfuscation engine run on the extracted tree — surfacing the /etc/hosts write, the credential-config read, the install-hook execution and a hardcoded routable C2.

3 · AI malware triage. A language-model reviewer reads the assembled signals plus the relevant code and returns a package-level verdict (here: malicious) with a cited reason — distinct from the raw findings, which it distils.

4 · Deterministic IOC extraction & cross-check. A verification stage extracts validated, routable IOCs (filtering the invalid-octet noise that trips naive regexes) and cross-references OSV — confirming the classification and attaching attribution. The IOCs below are the direct output of that stage.

The technique — registry hijack, step by step

1 · Install-hook execution. The payload runs from an install lifecycle script, executing automatically on npm install before any code is imported.

2 · /etc/hosts redirection. It appends an entry mapping the registry hostname (here the CTF stand-in registry.spectral-corsair.htb) to an attacker IP, so subsequent registry traffic is transparently rerouted.

3 · Token harvest. It reads the npm auth configuration and extracts the _authToken / _auth values — the credentials that authorise publishing.

4 · Exfiltration. Harvested data is sent to a hardcoded C2 endpoint (validated routable IPs below); the reproduction additionally beacons to a webhook.site URL.

5 · Package substitution. With the registry redirected and a publish-capable token in hand, the attacker can serve trojanised packages to the victim and publish malicious versions under the victim's identity — turning one install into a foothold across the victim's entire dependency and publishing surface.

Indicators of Compromise
C2154.57.164.70:32447 (validated routable)
C2154.57.164.76:30728 (validated routable — same /24 as the coral-wraith campaign)
HOSTregistry.spectral-corsair.htb (CTF registry stand-in injected into /etc/hosts)
TTP/etc/hosts rewrite → registry redirect → npm _authToken harvest → package substitution
PKGcursed-modules (npm) — removed; replaced by 0.0.1-security tombstone. Specimen SHA below (v1.0.8)
SHAd30d718f0746f15cb7234fd16bc79a2e62afab6c75a2d240c5025172377cc3bc
Remediation & hardening
#ActionPriority
01 Assume compromise if installed. Revoke npm tokens on npmjs.com and rotate all credentials from a clean machine; audit /etc/hosts and remove any injected registry entries. Immediate
02 Neutralise install hooks in CI. Install dependencies with lifecycle scripts disabled (--ignore-scripts) wherever feasible; treat postinstall as an execution boundary. High
03 Pin + verify. Lockfile-pin dependencies, enable registry integrity checks, and monitor for unexpected /etc/hosts changes on developer and build machines. High

Detected and classified by codelake Research · continuous npm ingestion · multi-tool static scan · AI malware triage · deterministic IOC extraction and OSV cross-check. Independently corroborated by OSV MAL-2026-6698 (specimen) and MAL-2026-5682 (the coral-wraith campaign it reproduces).

This is a technique dissection. The specimen is a CTF/red-team reproduction, disclosed as such; no working payload or reproduction is published. The original artifact is preserved in the codelake archive and available to verified security researchers on request.