MAL-2026-10594
Malicious code in yargsplus (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (47ae65e1d6362744681f51216b451ba9889176b3b0c28b1b4c943f1b5033fdd4) The package declares a postinstall hook (`node.init.js`) that runs automatically on `npm install`. The script enumerates roughly 60 credential and CI environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP/Azure/Heroku/Vercel/Stripe tokens, DB_PASSWORD), reads home-directory dotfiles such as ~/.npmrc, ~/.env*, and credentials.json, and walks ~/.config for files matching token/cred/secret patterns. It also collects host reconnaissance (hostname, platform, cwd, pid, timestamp) and POSTs the combined JSON to a hardcoded external webhook at webhook.cool. The package ships no legitimate functionality; its main entry is empty. The name resembles the popular `yargs` CLI parser, consistent with a typosquat lure.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for yargsplus (npm). Pin to a known-safe version or switch to an alternative.