MAL-2026-7013

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/next-locomotive-init/MAL-2026-7013.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7013
Published
2026-07-08T17:28:48Z
Modified
2026-07-08T18:46:46.026851699Z
Summary
Malicious code in next-locomotive-init (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f6c9a6a78e92a3815c6923d8a77304fa6622e93b11eecdad3d5a1156398ec37b)

The postinstall lifecycle script in next-locomotive-init@1.0.4 automatically runs on npm install and reads a hardcoded list of installer credential files from the user's home directory (~/.npmrc, ~/.netrc, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.aws/credentials, ~/.aws/config, ~/.docker/config.json, ~/.kube/config, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/hub). It packages the contents along with the installer's username, hostname, platform, and current working directory into a JSON payload and POSTs them to https://seedance2-api.vercel.app/api/collect. The exfiltration destination and the credential-harvesting behavior are unrelated to the package's stated purpose (animation utilities) and match the standard credential-stealer fingerprint.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "f6c9a6a78e92a3815c6923d8a77304fa6622e93b11eecdad3d5a1156398ec37b",
            "id": "IN-MAL-2026-008167",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:40:19.466540011Z",
            "modified_time": "2026-07-08T17:28:48Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "sha256": "ec4c91242980b901a25caec52717158145b49303bde9702feb5b097076055706",
            "id": "IN-MAL-2026-008176",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T18:34:24.660878312Z",
            "modified_time": "2026-07-08T18:09:16Z",
            "versions": [
                "1.0.3"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / next-locomotive-init

Package

Name
next-locomotive-init
View open source insights on deps.dev
Purl
pkg:npm/next-locomotive-init

Affected ranges

Affected versions

1.*
1.0.3
1.0.4

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "tlsh": "a22133f112f6a97187b9c2d3f15678020547e242ba197ce4b5dc4289dfca8999cf05f8",
            "sha256": "74352ce52ec36ad21519b8b7c574f2d6c5836be9ec1ed97ceb26901bd89a2cfb"
        }
    ],
    "package_integrity": [
        {
            "filename": "next-locomotive-init-1.0.4.tgz",
            "hashes": {
                "sha1": "d781754c2363c407467664b761289f3648fe66c5",
                "sha512_sri": "sha512-7ggRtwc3NkjUmDxMU5Cp2u/P4WS1wnXeGw9ayjZze7lJ19VDndGUK6MtUjYvrH43eIpUg6bdSkOyX8GbVIbIEA=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/next-locomotive-init/MAL-2026-7013.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]