VDB
KO

MAL-2026-10592

Malicious code in stripedev (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e8b1bd48eb1fe3b563d9950f59df7fcfe699d0f1b51820c47b721f59ee74af34) package.json declares `postinstall: node.init.js`, which runs automatically on `npm install`. The script enumerates ~60 credential and CI-token environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, HEROKU_*, GCP, and Azure keys), reads `~/.npmrc`, `~/.env*`, `~/config.json`, and `~/credentials.json`, and walks `~/.config` for files containing `token`/`cred`/`secret`. Host identifiers (`os.hostname()`, `os.platform()`, `process.cwd()`, pid) are collected alongside the secrets. All collected data is HTTPS-POSTed to a hardcoded webhook.cool endpoint (`webhook.cool/at/tender-deer-80/hG-DWynJKenViD9XWI5Mf8CulD0I9G2s`). The package has no legitimate functionality corresponding to this behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / stripedev

No fixed version published yet for stripedev (npm). Pin to a known-safe version or switch to an alternative.

References