npm

yargsplus @1.0.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10594

Ecosystem

npm

Summary

The package declares a postinstall hook ( node.init.js ) that runs automatically on npm install . The script enumerates roughly 60 credential and CI environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP/Azure/Heroku/Vercel/Stripe tokens, DB_PASSWORD), reads home-directory dotfiles such as ~/.npmrc, ~/.env*, and credentials.json, and walks ~/.config for files matching token/cred/secret patterns. It also collects host reconnaissance (hostname, platform, cwd, pid, timestamp) and POSTs the combined JSON to a hardcoded external webhook at webhook.cool. The package ships no legitimate functionality; its main entry is empty. The name resembles the popular yargs CLI parser, consistent with a typosquat lure.

Source: amazon-inspector (47ae65e1d6362744681f51216b451ba9889176b3b0c28b1b4c943f1b5033fdd4)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.