-= Per source details. Do not edit below this line.=-
The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — <!(node index.js...) with type: none — so that npm's automatic node-gyp rebuild step runs node index.js during install-time configure. index.js then collects installer identifiers via os.hostname(), os.userInfo().username, and the CI environment variables GITHUB_REPOSITORY and RUNNER_ENVIRONMENT, and POSTs a JSON body to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1). It also drops GYP_STEALTH_PWNED.txt into GITHUB_WORKSPACE (or cwd) whose content self-identifies as Stealth RCE via binding.gyp!. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit install/postinstall script masks the lifecycle execution — the trigger is binding.gyp presence, which npm resolves via node-gyp rebuild. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.
The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"1.2.0"
],
"id": "IN-MAL-2026-009320",
"modified_time": "2026-07-09T16:49:41Z",
"sha256": "1c4b3bf7033e97a761dda8961152a0325d3eb9e89b6cddc4b838176ae13e0568",
"import_time": "2026-07-09T17:19:23.431446063Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.3.0"
],
"id": "IN-MAL-2026-009319",
"import_time": "2026-07-09T17:19:23.328713519Z",
"sha256": "925481cdd4c7bb74f55623377798b53978d16a19b67d4c9e869c042b716b59cb",
"modified_time": "2026-07-09T16:49:33Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.4.0"
],
"id": "IN-MAL-2026-009321",
"modified_time": "2026-07-09T16:49:51Z",
"import_time": "2026-07-09T17:19:23.555445771Z",
"sha256": "aa83c8718f9869244a68bd577a3e013e16428235357ae774ad8968c101cede32",
"source": "amazon-inspector"
},
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-009303",
"modified_time": "2026-07-09T16:34:31Z",
"import_time": "2026-07-09T17:19:21.081057459Z",
"sha256": "b7b1ed48fcae410e28bdade3bf5a715b8c4b1390e43591f8263964d8ee302b43",
"source": "amazon-inspector"
},
{
"versions": [
"1.5.2"
],
"sha256": "5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80",
"modified_time": "2026-07-09T16:56:47Z",
"import_time": "2026-07-09T17:19:16.423308005Z",
"source": "ossf-package-analysis"
},
{
"sha256": "73d50f95c05f103c28463abdeff6ebf402d5a23abdc0ef3429d20a105237c966",
"versions": [
"1.3.0"
],
"import_time": "2026-07-09T17:19:16.669670167Z",
"modified_time": "2026-07-09T17:09:06Z",
"source": "ossf-package-analysis"
},
{
"sha256": "bf2530ede2ed0c04e03f8810e9ca789a38102fdf0cdeb61dd629cb1b522accd0",
"versions": [
"1.5.0"
],
"import_time": "2026-07-09T17:19:16.548586759Z",
"modified_time": "2026-07-09T17:04:41Z",
"source": "ossf-package-analysis"
},
{
"sha256": "162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac",
"id": "IN-MAL-2026-009404",
"import_time": "2026-07-09T21:03:51.208656795Z",
"modified_time": "2026-07-09T21:02:54Z",
"versions": [
"1.6.0"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.5.2"
],
"id": "IN-MAL-2026-009399",
"modified_time": "2026-07-09T20:43:23Z",
"import_time": "2026-07-09T21:03:50.995180692Z",
"sha256": "17546bb5a46f94f7604006011f2c9f5ba4c1ad03811e93670ab6957cb74c7fc4",
"source": "amazon-inspector"
},
{
"sha256": "4eab0605359a6944c7d4b87b70c5f858040f5e3e6869c2d15ea2ea11c690a945",
"id": "IN-MAL-2026-009588",
"import_time": "2026-07-09T22:56:37.15114829Z",
"modified_time": "2026-07-09T22:52:42Z",
"versions": [
"1.5.5"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.5.4"
],
"id": "IN-MAL-2026-009586",
"modified_time": "2026-07-09T22:52:28Z",
"import_time": "2026-07-09T22:56:36.97831884Z",
"sha256": "90b80b7f518a8ab921cfdbd8eaffb2a84bff97d11ebd5c9f0623ad67891808cf",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "nonenull1-1.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-nvMf/vvu8SCRundblSdFb3Aohj4vYFYxlcVfLmzNF8iYr0oKgIjaZ199vEes9cqeqTxHNOWh5hsukYTpJE+8ow==",
"sha1": "edf2a3b90ea98fa2212cdf8900472505f7120d4e"
}
}
],
"evidence_files": [
{
"sha256": "66847ccf16dfa4a8586414a7d681b0863b0999507b87f5db0388960c17136878",
"tlsh": "61c08038d53c4c5015c51418411dd441f8514153444e6d45f9cd543c4fa40062c5cbdd",
"path": "binding.gyp"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nonenull1/MAL-2026-10090.json"