MAL-2026-10592
Malicious code in stripedev (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e8b1bd48eb1fe3b563d9950f59df7fcfe699d0f1b51820c47b721f59ee74af34) package.json declares `postinstall: node.init.js`, which runs automatically on `npm install`. The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads `~/.npmrc`, `~/.env*`, `~/config.json`, and `~/credentials.json`, and walks `~/.config` for files containing `token`/`cred`/`secret`. Host identifiers (`os.hostname()`, `os.platform()`, `process.cwd()`, pid) are collected alongside the secrets. All collected data is HTTPS-POSTed to a hardcoded webhook.cool endpoint (`webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s`). The package has no legitimate functionality corresponding to this behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for stripedev (npm). Pin to a known-safe version or switch to an alternative.