VYPR

npm · Malicious package advisory

Malware

nonenull1

MAL-2026-10090

Malicious code in nonenull1 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac)
The package declares `gypfile: true` with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the `sources` list — `<!(node index.js...)` with `type: none` — so that npm's automatic `node-gyp rebuild` step runs `node index.js` during install-time configure. index.js then collects installer identifiers via `os.hostname()`, `os.userInfo().username`, and the CI environment variables `GITHUB_REPOSITORY` and `RUNNER_ENVIRONMENT`, and POSTs a JSON body to a hardcoded ngrok tunnel at `crabbing-thong-overhung.ngrok-free.dev` (`https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1`). It also drops `GYP_STEALTH_PWNED.txt` into `GITHUB_WORKSPACE` (or cwd) whose content self-identifies as `Stealth RCE via binding.gyp!`. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit `install`/`postinstall` script masks the lifecycle execution — the trigger is `binding.gyp` presence, which npm resolves via `node-gyp rebuild`. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.

## Source: ossf-package-analysis (5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80)
The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (10)

  • 1.2.0
  • 1.3.0
  • 1.4.0
  • 1.0.0
  • 1.5.2
  • 1.5.0
  • 1.6.0
  • 1.5.5
  • 1.5.4
  • 1.5.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.