registry  /  next-locomotive-init  /  1.0.4

next-locomotive-init@1.0.4

Animation utilities for Next.js templates

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7013 confirms this npm version as malicious. The postinstall lifecycle script in next-locomotive-init@1.0.4 automatically runs on npm install and reads a hardcoded list of installer credential files from the user's home directory (~/.npmrc, ~/.netrc, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.aws/config, ~/.docker/config.json, ~/.kube/config, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/hub)...

Advisory
MAL-2026-7013
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in next-locomotive-init (npm)
Details
The postinstall lifecycle script in next-locomotive-init@1.0.4 automatically runs on npm install and reads a hardcoded list of installer credential files from the user's home directory (~/.npmrc, ~/.netrc, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.aws/config, ~/.docker/config.json, ~/.kube/config, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/hub). It packages the contents along with the installer's username, hostname, platform, and current working directory into a JSON payload and POSTs them to https://seedance2-api.vercel.app/api/collect. The exfiltration destination and the credential-harvesting behavior are unrelated to the package's stated purpose (animation utilities) and match the standard credential-stealer fingerprint.
Decision reason
OpenSSF Malicious Packages via OSV confirms next-locomotive-init@1.0.4 as malicious (MAL-2026-7013): Malicious code in next-locomotive-init (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory