OSV ID
MAL-2026-7024
Ecosystem
npm
Summary
package.json declares a prepare lifecycle script ( node index.js || true ) that auto-executes on npm install . index.js reads canonical installer-secret paths — ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.config/gcloud/application_default_credentials.json, ~/.npmrc, ~/.pypirc, ~/.docker/config.json, ~/.gitconfig, and.env files walking up parent directories — plus a curated set of cloud/CI environment variables, and POSTs the contents to a hardcoded attacker-controlled ngrok tunnel at https://crabbing-thong-overhung.ngrok-free.dev/exfil. A separate sendInitialPing beacon posts host identifiers (hostname, platform, user, homedir, cwd, node version, npm lifecycle env, git user.email) to the same host at /ping to identify the victim. The || true suffix silences errors so the install appears successful. This is a direct credential-theft supply-chain attack against any developer or CI system that installs the package.
Source: amazon-inspector (c28e7ef260830adb9561488c487960b12e00bd6939daf8ed8e3a239ec9530699)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.