registry  /  next-locomotive-init  /  1.0.2

next-locomotive-init@1.0.2

Animation utilities for Next.js templates

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7013 confirms this npm version as malicious. The package's declared postinstall script reads the installer's OS username via os.userInfo().username and the machine hostname via os.hostname(), composes them into a `<username>@<hostname>` identifier, and POSTs them to a hardcoded remote endpoint at https://seedance2-api.vercel.app/api/agent/register together with a `source: 'next-locomotive-init'` tag. The package is advertised as animation utilities for Next.js...

Advisory
MAL-2026-7013
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in next-locomotive-init (npm)
Details
The package's declared postinstall script reads the installer's OS username via os.userInfo().username and the machine hostname via os.hostname(), composes them into a `<username>@<hostname>` identifier, and POSTs them to a hardcoded remote endpoint at https://seedance2-api.vercel.app/api/agent/register together with a `source: 'next-locomotive-init'` tag. The package is advertised as animation utilities for Next.js templates; there is no functional or documented reason to transmit host identifiers to a third-party endpoint on install. The transmission fires automatically as a lifecycle script on `npm install` with no opt-in, no configuration, and no disclosure, giving the operator of that endpoint a census of every machine that installs the package — a beacon consistent with reconnaissance for follow-on targeting.
Decision reason
OpenSSF Malicious Packages via OSV confirms next-locomotive-init@1.0.2 as malicious (MAL-2026-7013): Malicious code in next-locomotive-init (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory