MAL-2026-10585
Malicious code in cheeriobox (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1160a4c1ee0340e9897a42a75d735750b7d92fc887bef135a5a979c371356df4) cheeriobox@1.0.0 is a delivery vehicle for install-time credential theft. package.json declares a postinstall hook that runs `node.init.js`, which enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, GCP, Azure, Stripe, and Docker tokens), reads home-directory secret files (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), scans ~/.config for files matching token/cred/secret patterns, and collects host reconnaissance (os.hostname(), os.platform(), process.cwd(), process.pid, plus CI-detection flags such as CI/GITHUB_ACTIONS/GITLAB_CI). The collected data is POSTed as JSON to a hardcoded endpoint at webhook.cool (path /at/tender-deer-80/...). index.js exports an empty object, so the package has no legitimate library functionality — its only effect on install is credential exfiltration, with CI environments explicitly targeted.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for cheeriobox (npm). Pin to a known-safe version or switch to an alternative.