VDB
KO

MAL-2026-10585

Malicious code in cheeriobox (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1160a4c1ee0340e9897a42a75d735750b7d92fc887bef135a5a979c371356df4) cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs `node.init.js`, which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for files matching token/cred/secret patterns, and collects host reconnaissance (os.hostname(), os.platform(), process.cwd(), process.pid, plus CI-detection flags such as CI/GITHUB_ACTIONS/GITLAB_CI). The collected data is POSTed as JSON to a hardcoded endpoint at webhook.cool (path /at/tender-deer-80/...). index.js exports an empty object, so the package has no legitimate library functionality — its only effect on install is credential exfiltration, with CI environments explicitly targeted.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cheeriobox

No fixed version published yet for cheeriobox (npm). Pin to a known-safe version or switch to an alternative.

References