-= Per source details. Do not edit below this line.=-
The postinstall lifecycle script in next-locomotive-init@1.0.4 automatically runs on npm install and reads a hardcoded list of installer credential files from the user's home directory (~/.npmrc, ~/.netrc, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.aws/credentials, ~/.aws/config, ~/.docker/config.json, ~/.kube/config, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/hub). It packages the contents along with the installer's username, hostname, platform, and current working directory into a JSON payload and POSTs them to https://seedance2-api.vercel.app/api/collect. The exfiltration destination and the credential-harvesting behavior are unrelated to the package's stated purpose (animation utilities) and match the standard credential-stealer fingerprint.
{
"malicious-packages-origins": [
{
"sha256": "f6c9a6a78e92a3815c6923d8a77304fa6622e93b11eecdad3d5a1156398ec37b",
"id": "IN-MAL-2026-008167",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:40:19.466540011Z",
"modified_time": "2026-07-08T17:28:48Z",
"versions": [
"1.0.4"
]
},
{
"sha256": "ec4c91242980b901a25caec52717158145b49303bde9702feb5b097076055706",
"id": "IN-MAL-2026-008176",
"source": "amazon-inspector",
"import_time": "2026-07-08T18:34:24.660878312Z",
"modified_time": "2026-07-08T18:09:16Z",
"versions": [
"1.0.3"
]
}
]
}{
"evidence_files": [
{
"path": "postinstall.js",
"tlsh": "a22133f112f6a97187b9c2d3f15678020547e242ba197ce4b5dc4289dfca8999cf05f8",
"sha256": "74352ce52ec36ad21519b8b7c574f2d6c5836be9ec1ed97ceb26901bd89a2cfb"
}
],
"package_integrity": [
{
"filename": "next-locomotive-init-1.0.4.tgz",
"hashes": {
"sha1": "d781754c2363c407467664b761289f3648fe66c5",
"sha512_sri": "sha512-7ggRtwc3NkjUmDxMU5Cp2u/P4WS1wnXeGw9ayjZze7lJ19VDndGUK6MtUjYvrH43eIpUg6bdSkOyX8GbVIbIEA=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/next-locomotive-init/MAL-2026-7013.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]