registry  /  cheeriobox  /  1.0.0

cheeriobox@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10585 confirms this npm version as malicious. cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs `node.init.js`, which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for...

Advisory
MAL-2026-10585
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cheeriobox (npm)
Details
cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs `node.init.js`, which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for files matching token/cred/secret patterns, and collects host reconnaissance (os.hostname(), os.platform(), process.cwd(), process.pid, plus CI-detection flags such as CI/GITHUB_ACTIONS/GITLAB_CI). The collected data is POSTed as JSON to a hardcoded endpoint at webhook.cool (path /at/tender-deer-80/...). index.js exports an empty object, so the package has no legitimate library functionality — its only effect on install is credential exfiltration, with CI environments explicitly targeted.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 18 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present