momenntjs @1.0.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10588
Ecosystem
npm
Summary
momenntjs is a typosquat of momentjs whose package.json postinstall hook runs node.init.js . On npm install ,.init.js enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, SSH_KEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*, config/credentials.json, and files under ~/.config matching token/cred/secret patterns. It also collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid) and POSTs the combined JSON payload to a hardcoded webhook.cool inbox at tender-deer-80. The package provides no legitimate functionality matching its name.
Source: amazon-inspector (6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.