OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10585 confirms this npm version as malicious. cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs `node.init.js`, which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for...
Advisory
MAL-2026-10585
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cheeriobox (npm)
Details
cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs `node.init.js`, which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for files matching token/cred/secret patterns, and collects host reconnaissance (os.hostname(), os.platform(), process.cwd(), process.pid, plus CI-detection flags such as CI/GITHUB_ACTIONS/GITLAB_CI). The collected data is POSTed as JSON to a hardcoded endpoint at webhook.cool (path /at/tender-deer-80/...). index.js exports an empty object, so the package has no legitimate library functionality — its only effect on install is credential exfiltration, with CI environments explicitly targeted.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present