npm

nonenull1 @1.6.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10090

Ecosystem

npm

Summary

The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — <!(node index.js...) with type: none — so that npm's automatic node-gyp rebuild step runs node index.js during install-time configure. index.js then collects installer identifiers via os.hostname() , os.userInfo().username , and the CI environment variables GITHUB_REPOSITORY and RUNNER_ENVIRONMENT , and POSTs a JSON body to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev ( https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1 ). It also drops GYP_STEALTH_PWNED.txt into GITHUB_WORKSPACE (or cwd) whose content self-identifies as Stealth RCE via binding.gyp! . There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit install / postinstall script masks the lifecycle execution — the trigger is binding.gyp presence, which npm resolves via node-gyp rebuild . This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.

Source: amazon-inspector (162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.