Anatomy of an npm registry-hijack: /etc/hosts redirection and publish-token theft
A supply-chain technique that redirects a victim's npm registry to an attacker-controlled host via /etc/hosts, harvests the npm _authToken, and enables silent package substitution — the "coral-wraith" pattern. codelake's scanner independently detected and classified the specimen from the live npm feed. Note: the specimen analysed here (cursed-modules) is a CTF/red-team reproduction of the technique; the underlying campaign it mirrors is real and documented.
This advisory dissects a high-impact npm supply-chain technique known as coral-wraith: on install, the malware rewrites /etc/hosts to point the npm registry hostname at an attacker-controlled IP, then harvests the developer's npm _authToken and exfiltrates it. With the registry redirected and the token stolen, the attacker can perform package substitution — serving malicious versions of packages the victim installs, and pushing malicious releases under the victim's own account.
codelake detected and classified the specimen automatically from the live npm feed and preserved the artifact. In the interest of accuracy, we note that this specific specimen — cursed-modules — carries hallmarks of a CTF / red-team reproduction (a HackTheBox-style .htb C2 hostname, "flag" exfiltration, and a publish-and-arm.sh tooling script). It faithfully reproduces the technique of the real, in-the-wild coral-wraith campaign (OSV MAL-2026-5682, which OSV summarises as: "any computer that has this package installed should be considered fully compromised"). We publish it as a technique breakdown, not as a claim of a novel live campaign.
The finding was produced entirely by codelake's automated pipeline, with no reliance on any external advisory:
1 · Continuous ingestion. Every newly published npm version is pulled from the registry feed and archived within seconds of publication — so the working artifact is captured before a fast-removed package can disappear (npm has since replaced this package with an empty 0.0.1-security tombstone; codelake retains the original).
2 · Multi-tool static scan. A behavioural detector, a secret scanner, and a deobfuscation engine run on the extracted tree — surfacing the /etc/hosts write, the credential-config read, the install-hook execution and a hardcoded routable C2.
3 · AI malware triage. A language-model reviewer reads the assembled signals plus the relevant code and returns a package-level verdict (here: malicious) with a cited reason — distinct from the raw findings, which it distils.
4 · Deterministic IOC extraction & cross-check. A verification stage extracts validated, routable IOCs (filtering the invalid-octet noise that trips naive regexes) and cross-references OSV — confirming the classification and attaching attribution. The IOCs below are the direct output of that stage.
1 · Install-hook execution. The payload runs from an install lifecycle script, executing automatically on npm install before any code is imported.
2 · /etc/hosts redirection. It appends an entry mapping the registry hostname (here the CTF stand-in registry.spectral-corsair.htb) to an attacker IP, so subsequent registry traffic is transparently rerouted.
3 · Token harvest. It reads the npm auth configuration and extracts the _authToken / _auth values — the credentials that authorise publishing.
4 · Exfiltration. Harvested data is sent to a hardcoded C2 endpoint (validated routable IPs below); the reproduction additionally beacons to a webhook.site URL.
5 · Package substitution. With the registry redirected and a publish-capable token in hand, the attacker can serve trojanised packages to the victim and publish malicious versions under the victim's identity — turning one install into a foothold across the victim's entire dependency and publishing surface.
Detected and classified by codelake Research · continuous npm ingestion · multi-tool static scan · AI malware triage · deterministic IOC extraction and OSV cross-check. Independently corroborated by OSV MAL-2026-6698 (specimen) and MAL-2026-5682 (the coral-wraith campaign it reproduces).
This is a technique dissection. The specimen is a CTF/red-team reproduction, disclosed as such; no working payload or reproduction is published. The original artifact is preserved in the codelake archive and available to verified security researchers on request.