OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10090 confirms this npm version as malicious. On `npm install`, nonenull1@1.0.0 auto-executes a credential stealer via node-gyp. package.json sets `gypfile: true`, and the shipped binding.gyp declares no native sources but places a GYP command-expansion `<!(node index.js...)` in the sources array, so node-gyp rebuild runs index.js during the configure step (an implicit install hook that is not declared as scripts.postinstall). index.js then: (1) collects host...
Advisory
MAL-2026-10090
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nonenull1 (npm)
Details
On `npm install`, nonenull1@1.0.0 auto-executes a credential stealer via node-gyp. package.json sets `gypfile: true`, and the shipped binding.gyp declares no native sources but places a GYP command-expansion `<!(node index.js...)` in the sources array, so node-gyp rebuild runs index.js during the configure step (an implicit install hook that is not declared as scripts.postinstall). index.js then: (1) collects host fingerprint (os.hostname, os.userInfo, process.platform, cwd, node version, git user.email) and POSTs it to https://crabbing-thong-overhung.ngrok-free.dev/ping; (2) reads every file in ~/.ssh, ~/.aws, ~/.config, ~/.kube, ~/.docker, and ~/.gnupg, plus every.env* file discovered walking 8 directory levels up from cwd, and POSTs the contents to /exfil at the same host; (3) filters process.env for keys matching token|secret|key|pass|pwd|auth|api|cred|jwt|cookie and exfiltrates those values. The destination is a hardcoded ngrok tunnel controlled by the publisher. This is a textbook installer-side credential stealer with an implicit install hook designed to evade manifest-only scanners.
## Source: ossf-package-analysis (5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80) The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms nonenull1@1.3.0 as malicious (MAL-2026-10090): Malicious code in nonenull1 (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory