SUP-COMPROMISE-003 Malicious postinstall

A direct or transitive dependency matches a curated supply-chain incident in the malicious_postinstall kind. The package ships a lifecycle script (npm postinstall, preinstall, PyPI setup.py) that runs attacker code at install time. Unlike a runtime-only payload, this kind compromises the machine the moment npm install or pip install resolves the package.

A SUP-COMPROMISE-003 hit means the payload has likely already executed on every machine where the package was in scope: developer workstations, CI runners, build servers. Treat the finding as an incident, not a warning.

Catalogued incidents under this kind include:

• INCIDENT-2022-ctx (PyPI: [email protected]), the PyPI abandoned-package republish that exfiltrated AWS credentials and env vars on setup.py execution.
• INCIDENT-2023-coloramaa (PyPI: [email protected]), the colorama typosquat that installed a Python info-stealer on import via a setup.py payload.

What Vulkro detects

The detector walks every (ecosystem, name, version) triple and looks each one up against the curated catalog. A row whose kind is malicious_postinstall and whose versions[] contains the installed version produces a SUP-COMPROMISE-003 finding.

Severity: the catalog row's severity (typically Critical). Confidence: High. Evidence signal: compromised-release-exact-version-match, weight 1.0.

Non-compliant lockfile

ctx==0.2.2

Pipfile.lock / poetry.lock / requirements.txt resolving to ctx==0.2.2 runs the malicious setup.py payload on the next pip install.

Compliant resolution

# Remove the dependency entirely (this package was abandoned
# and republished by an attacker).

If your project actually needs the original ctx library, verify whether the upstream has been republished by a maintainer the community trusts. If not, vendor the last known-good source or remove the dependency.

Remediation

1. Uninstall immediately. The package's lifecycle script has most likely already executed on every machine where this version was resolved.
2. Wipe and reprovision affected hosts where feasible. Developer workstations: at minimum, run a full antimalware scan, audit shell history for outbound network activity, and rotate every credential the user account had access to. CI runners: rebuild the runner from a clean image; do not trust artefacts produced by the affected runs.
3. Rotate every credential that was in scope of any environment where this package was installed. The [email protected] campaign specifically exfiltrated AWS keys and environment variables, so credentials in env vars (cloud provider keys, DB passwords, API tokens) are the highest-priority rotation.
4. Check the advisory in the finding for indicators of compromise (IOCs): outbound domains the payload contacts, filenames it drops, processes it spawns.
5. Run vulkro respond against every project on the machine to find every place the same (name, version) is in use.

See also

• vulkro scan - parent CLI.
• vulkro respond - find every other place the same package is in use.
• SUP-COMPROMISE-001 - sibling rule for hijacked-credential publish incidents.
• SUP-COMPROMISE-002 - sibling rule for typosquats (frequently use the postinstall delivery method).
• SUP-COMPROMISE-004 - sibling rule for source-tree-level backdoors.

References

• CWE-506: Embedded Malicious Code
• CWE-1357: Reliance on Insufficiently Trustworthy Component
• CWE-829: Inclusion of Functionality from Untrusted Control Sphere
• OWASP A08:2021 Software and Data Integrity Failures