npm

stripedev @1.0.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10592

Ecosystem

npm

Summary

package.json declares postinstall: node.init.js , which runs automatically on npm install . The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads ~/.npmrc , ~/.env* , ~/config.json , and ~/credentials.json , and walks ~/.config for files containing token / cred / secret . Host identifiers ( os.hostname() , os.platform() , process.cwd() , pid) are collected alongside the secrets. All collected data is HTTPS-POSTed to a hardcoded webhook.cool endpoint ( webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s ). The package has no legitimate functionality corresponding to this behavior.

Source: amazon-inspector (e8b1bd48eb1fe3b563d9950f59df7fcfe699d0f1b51820c47b721f59ee74af34)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.