@nsub/nitxe @1.0.1
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10429
Ecosystem
npm
Summary
The package's declared npm postinstall script collects the installer's username (os.userInfo().username), hostname (os.hostname()), platform, and the entire process.env object, base64-encodes the JSON, and transmits it as a query parameter in an HTTPS GET to a hardcoded unrelated host (gjsidn.co/collect?d=...). This fires automatically on npm install . The call is dispatched via eval('play(food())') wrapped in a silent try/catch — an obfuscation pattern with no legitimate purpose. In this specific version the postinstall.js file requires only https and never requires os , so the eval'd call throws a ReferenceError that the try/catch swallows and no network I/O actually occurs — but the code shape is unambiguous credential/environment theft and a one-line follow-up publish would make it live. Installer harm surface: full process.env dump on CI machines commonly exports cloud credentials, CI secrets, and npm publish tokens.
Source: amazon-inspector (b16147b7ac55d6c4cc4e042be73e6d49fc7232e8a03f406fecd034cdd27bf0eb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.