MAL-2026-10090

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nonenull1/MAL-2026-10090.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10090
Published
2026-07-09T16:34:31Z
Modified
2026-07-09T23:02:02.157991377Z
Summary
Malicious code in nonenull1 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac)

The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — <!(node index.js...) with type: none — so that npm's automatic node-gyp rebuild step runs node index.js during install-time configure. index.js then collects installer identifiers via os.hostname(), os.userInfo().username, and the CI environment variables GITHUB_REPOSITORY and RUNNER_ENVIRONMENT, and POSTs a JSON body to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1). It also drops GYP_STEALTH_PWNED.txt into GITHUB_WORKSPACE (or cwd) whose content self-identifies as Stealth RCE via binding.gyp!. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit install/postinstall script masks the lifecycle execution — the trigger is binding.gyp presence, which npm resolves via node-gyp rebuild. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.

Source: ossf-package-analysis (5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80)

The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.2.0"
            ],
            "id": "IN-MAL-2026-009320",
            "modified_time": "2026-07-09T16:49:41Z",
            "sha256": "1c4b3bf7033e97a761dda8961152a0325d3eb9e89b6cddc4b838176ae13e0568",
            "import_time": "2026-07-09T17:19:23.431446063Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.3.0"
            ],
            "id": "IN-MAL-2026-009319",
            "import_time": "2026-07-09T17:19:23.328713519Z",
            "sha256": "925481cdd4c7bb74f55623377798b53978d16a19b67d4c9e869c042b716b59cb",
            "modified_time": "2026-07-09T16:49:33Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.4.0"
            ],
            "id": "IN-MAL-2026-009321",
            "modified_time": "2026-07-09T16:49:51Z",
            "import_time": "2026-07-09T17:19:23.555445771Z",
            "sha256": "aa83c8718f9869244a68bd577a3e013e16428235357ae774ad8968c101cede32",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009303",
            "modified_time": "2026-07-09T16:34:31Z",
            "import_time": "2026-07-09T17:19:21.081057459Z",
            "sha256": "b7b1ed48fcae410e28bdade3bf5a715b8c4b1390e43591f8263964d8ee302b43",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.5.2"
            ],
            "sha256": "5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80",
            "modified_time": "2026-07-09T16:56:47Z",
            "import_time": "2026-07-09T17:19:16.423308005Z",
            "source": "ossf-package-analysis"
        },
        {
            "sha256": "73d50f95c05f103c28463abdeff6ebf402d5a23abdc0ef3429d20a105237c966",
            "versions": [
                "1.3.0"
            ],
            "import_time": "2026-07-09T17:19:16.669670167Z",
            "modified_time": "2026-07-09T17:09:06Z",
            "source": "ossf-package-analysis"
        },
        {
            "sha256": "bf2530ede2ed0c04e03f8810e9ca789a38102fdf0cdeb61dd629cb1b522accd0",
            "versions": [
                "1.5.0"
            ],
            "import_time": "2026-07-09T17:19:16.548586759Z",
            "modified_time": "2026-07-09T17:04:41Z",
            "source": "ossf-package-analysis"
        },
        {
            "sha256": "162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac",
            "id": "IN-MAL-2026-009404",
            "import_time": "2026-07-09T21:03:51.208656795Z",
            "modified_time": "2026-07-09T21:02:54Z",
            "versions": [
                "1.6.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.5.2"
            ],
            "id": "IN-MAL-2026-009399",
            "modified_time": "2026-07-09T20:43:23Z",
            "import_time": "2026-07-09T21:03:50.995180692Z",
            "sha256": "17546bb5a46f94f7604006011f2c9f5ba4c1ad03811e93670ab6957cb74c7fc4",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4eab0605359a6944c7d4b87b70c5f858040f5e3e6869c2d15ea2ea11c690a945",
            "id": "IN-MAL-2026-009588",
            "import_time": "2026-07-09T22:56:37.15114829Z",
            "modified_time": "2026-07-09T22:52:42Z",
            "versions": [
                "1.5.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.5.4"
            ],
            "id": "IN-MAL-2026-009586",
            "modified_time": "2026-07-09T22:52:28Z",
            "import_time": "2026-07-09T22:56:36.97831884Z",
            "sha256": "90b80b7f518a8ab921cfdbd8eaffb2a84bff97d11ebd5c9f0623ad67891808cf",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / nonenull1

Package

Affected ranges

Affected versions

1.*
1.0.0
1.2.0
1.3.0
1.4.0
1.5.0
1.5.2
1.5.4
1.5.5
1.6.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "nonenull1-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-nvMf/vvu8SCRundblSdFb3Aohj4vYFYxlcVfLmzNF8iYr0oKgIjaZ199vEes9cqeqTxHNOWh5hsukYTpJE+8ow==",
                "sha1": "edf2a3b90ea98fa2212cdf8900472505f7120d4e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "66847ccf16dfa4a8586414a7d681b0863b0999507b87f5db0388960c17136878",
            "tlsh": "61c08038d53c4c5015c51418411dd441f8514153444e6d45f9cd543c4fa40062c5cbdd",
            "path": "binding.gyp"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nonenull1/MAL-2026-10090.json"