registry  /  stripedev  /  1.0.0

stripedev@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10592 confirms this npm version as malicious. package.json declares `postinstall: node.init.js`, which runs automatically on `npm install`. The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads `~/.npmrc`, `~/.env*`, `~/config.json`, and `~/credentials.json`, and walks `~/.config` for files containing `token`/`cred`/`secret`...

Advisory
MAL-2026-10592
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in stripedev (npm)
Details
package.json declares `postinstall: node.init.js`, which runs automatically on `npm install`. The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads `~/.npmrc`, `~/.env*`, `~/config.json`, and `~/credentials.json`, and walks `~/.config` for files containing `token`/`cred`/`secret`. Host identifiers (`os.hostname()`, `os.platform()`, `process.cwd()`, pid) are collected alongside the secrets. All collected data is HTTPS-POSTed to a hardcoded webhook.cool endpoint (`webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s`). The package has no legitimate functionality corresponding to this behavior.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 18 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present