nonenull1 @1.6.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-10090
Ecosystem
npm
Summary
The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — <!(node index.js...) with type: none — so that npm's automatic node-gyp rebuild step runs node index.js during install-time configure. index.js then collects installer identifiers via os.hostname() , os.userInfo().username , and the CI environment variables GITHUB_REPOSITORY and RUNNER_ENVIRONMENT , and POSTs a JSON body to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev ( https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1 ). It also drops GYP_STEALTH_PWNED.txt into GITHUB_WORKSPACE (or cwd) whose content self-identifies as Stealth RCE via binding.gyp! . There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit install / postinstall script masks the lifecycle execution — the trigger is binding.gyp presence, which npm resolves via node-gyp rebuild . This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.
Source: amazon-inspector (162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.