MAL-2026-10588
Malicious code in momenntjs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4) momenntjs is a typosquat of momentjs whose package.json postinstall hook runs `node.init.js`. On `npm install`,.init.js enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, SSH_KEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*, config/credentials.json, and files under ~/.config matching token/cred/secret patterns. It also collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid) and POSTs the combined JSON payload to a hardcoded webhook.cool inbox at tender-deer-80. The package provides no legitimate functionality matching its name.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for momenntjs (npm). Pin to a known-safe version or switch to an alternative.