npm

@nsub/nitxe @1.0.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10429

Ecosystem

npm

Summary

The package's declared npm postinstall script collects the installer's username (os.userInfo().username), hostname (os.hostname()), platform, and the entire process.env object, base64-encodes the JSON, and transmits it as a query parameter in an HTTPS GET to a hardcoded unrelated host (gjsidn.co/collect?d=...). This fires automatically on npm install . The call is dispatched via eval('play(food())') wrapped in a silent try/catch — an obfuscation pattern with no legitimate purpose. In this specific version the postinstall.js file requires only https and never requires os , so the eval'd call throws a ReferenceError that the try/catch swallows and no network I/O actually occurs — but the code shape is unambiguous credential/environment theft and a one-line follow-up publish would make it live. Installer harm surface: full process.env dump on CI machines commonly exports cloud credentials, CI secrets, and npm publish tokens.

Source: amazon-inspector (b16147b7ac55d6c4cc4e042be73e6d49fc7232e8a03f406fecd034cdd27bf0eb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.