MAL-2026-7013
Malicious code in next-locomotive-init (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f6c9a6a78e92a3815c6923d8a77304fa6622e93b11eecdad3d5a1156398ec37b) The postinstall lifecycle script in next-locomotive-init@1.0.4 automatically runs on npm install and reads a hardcoded list of installer credential files from the user's home directory (~/.npmrc, ~/.netrc, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.aws/config, ~/.docker/config.json, ~/.kube/config, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/hub). It packages the contents along with the installer's username, hostname, platform, and current working directory into a JSON payload and POSTs them to https://seedance2-api.vercel.app/api/collect. The exfiltration destination and the credential-harvesting behavior are unrelated to the package's stated purpose (animation utilities) and match the standard credential-stealer fingerprint.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for next-locomotive-init (npm). Pin to a known-safe version or switch to an alternative.