OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10588 confirms this npm version as malicious. momenntjs is a typosquat of momentjs whose package.json postinstall hook runs `node.init.js`. On `npm install`,.init.js enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, SSH_KEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*,...
Advisory
MAL-2026-10588
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in momenntjs (npm)
Details
momenntjs is a typosquat of momentjs whose package.json postinstall hook runs `node.init.js`. On `npm install`,.init.js enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, SSH_KEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*, config/credentials.json, and files under ~/.config matching token/cred/secret patterns. It also collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid) and POSTs the combined JSON payload to a hardcoded webhook.cool inbox at tender-deer-80. The package provides no legitimate functionality matching its name.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present