cheeriobox @1.0.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10585
Ecosystem
npm
Summary
cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs node.init.js , which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for files matching token/cred/secret patterns, and collects host reconnaissance (os.hostname(), os.platform(), process.cwd(), process.pid, plus CI-detection flags such as CI/GITHUB_ACTIONS/GITLAB_CI). The collected data is POSTed as JSON to a hardcoded endpoint at webhook.cool (path /at/tender-deer-80/...). index.js exports an empty object, so the package has no legitimate library functionality — its only effect on install is credential exfiltration, with CI environments explicitly targeted.
Source: amazon-inspector (1160a4c1ee0340e9897a42a75d735750b7d92fc887bef135a5a979c371356df4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.