OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10592 confirms this npm version as malicious. package.json declares `postinstall: node.init.js`, which runs automatically on `npm install`. The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads `~/.npmrc`, `~/.env*`, `~/config.json`, and `~/credentials.json`, and walks `~/.config` for files containing `token`/`cred`/`secret`...
Advisory
MAL-2026-10592
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in stripedev (npm)
Details
package.json declares `postinstall: node.init.js`, which runs automatically on `npm install`. The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads `~/.npmrc`, `~/.env*`, `~/config.json`, and `~/credentials.json`, and walks `~/.config` for files containing `token`/`cred`/`secret`. Host identifiers (`os.hostname()`, `os.platform()`, `process.cwd()`, pid) are collected alongside the secrets. All collected data is HTTPS-POSTed to a hardcoded webhook.cool endpoint (`webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s`). The package has no legitimate functionality corresponding to this behavior.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present