OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10090 confirms this npm version as malicious. The package declares `gypfile: true` with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the `sources` list — `<!(node index.js...)` with `type: none` — so that npm's automatic `node-gyp rebuild` step runs `node index.js` during install-time configure. index.js then collects installer identifiers via `os.hostname()`, `os.userInfo().username`, and the CI environment variables...
Advisory
MAL-2026-10090
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nonenull1 (npm)
Details
The package declares `gypfile: true` with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the `sources` list — `<!(node index.js...)` with `type: none` — so that npm's automatic `node-gyp rebuild` step runs `node index.js` during install-time configure. index.js then collects installer identifiers via `os.hostname()`, `os.userInfo().username`, and the CI environment variables `GITHUB_REPOSITORY` and `RUNNER_ENVIRONMENT`, and POSTs a JSON body to a hardcoded ngrok tunnel at `crabbing-thong-overhung.ngrok-free.dev` (`https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1`). It also drops `GYP_STEALTH_PWNED.txt` into `GITHUB_WORKSPACE` (or cwd) whose content self-identifies as `Stealth RCE via binding.gyp!`. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit `install`/`postinstall` script masks the lifecycle execution — the trigger is `binding.gyp` presence, which npm resolves via `node-gyp rebuild`. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.
## Source: ossf-package-analysis (5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80) The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms nonenull1@1.5.5 as malicious (MAL-2026-10090): Malicious code in nonenull1 (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory