OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10594 confirms this npm version as malicious. The package declares a postinstall hook (`node.init.js`) that runs automatically on `npm install`. The script enumerates roughly 60 credential and CI environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP/Azure/Heroku/Vercel/Stripe tokens, DB_PASSWORD), reads home-directory dotfiles such as ~/.npmrc, ~/.env*, and credentials.json, and walks ~/.config for files matching token/cred/secret...
Advisory
MAL-2026-10594
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in yargsplus (npm)
Details
The package declares a postinstall hook (`node.init.js`) that runs automatically on `npm install`. The script enumerates roughly 60 credential and CI environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP/Azure/Heroku/Vercel/Stripe tokens, DB_PASSWORD), reads home-directory dotfiles such as ~/.npmrc, ~/.env*, and credentials.json, and walks ~/.config for files matching token/cred/secret patterns. It also collects host reconnaissance (hostname, platform, cwd, pid, timestamp) and POSTs the combined JSON to a hardcoded external webhook at webhook.cool. The package ships no legitimate functionality; its main entry is empty. The name resembles the popular `yargs` CLI parser, consistent with a typosquat lure.
Decision reason
OpenSSF Malicious Packages via OSV confirms yargsplus@1.0.0 as malicious (MAL-2026-10594): Malicious code in yargsplus (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory