npm

none123s @1.1.7

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-7024

Ecosystem

npm

Summary

package.json declares a prepare lifecycle script ( node index.js || true ) that auto-executes on npm install . index.js reads canonical installer-secret paths — ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.config/gcloud/application_default_credentials.json, ~/.npmrc, ~/.pypirc, ~/.docker/config.json, ~/.gitconfig, and.env files walking up parent directories — plus a curated set of cloud/CI environment variables, and POSTs the contents to a hardcoded attacker-controlled ngrok tunnel at https://crabbing-thong-overhung.ngrok-free.dev/exfil. A separate sendInitialPing beacon posts host identifiers (hostname, platform, user, homedir, cwd, node version, npm lifecycle env, git user.email) to the same host at /ping to identify the victim. The || true suffix silences errors so the install appears successful. This is a direct credential-theft supply-chain attack against any developer or CI system that installs the package.

Source: amazon-inspector (c28e7ef260830adb9561488c487960b12e00bd6939daf8ed8e3a239ec9530699)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.