{"id":"MAL-2026-10090","summary":"Malicious code in nonenull1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac)\nThe package declares `gypfile: true` with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the `sources` list — `\u003c!(node index.js...)` with `type: none` — so that npm's automatic `node-gyp rebuild` step runs `node index.js` during install-time configure. index.js then collects installer identifiers via `os.hostname()`, `os.userInfo().username`, and the CI environment variables `GITHUB_REPOSITORY` and `RUNNER_ENVIRONMENT`, and POSTs a JSON body to a hardcoded ngrok tunnel at `crabbing-thong-overhung.ngrok-free.dev` (`https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1`). It also drops `GYP_STEALTH_PWNED.txt` into `GITHUB_WORKSPACE` (or cwd) whose content self-identifies as `Stealth RCE via binding.gyp!`. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit `install`/`postinstall` script masks the lifecycle execution — the trigger is `binding.gyp` presence, which npm resolves via `node-gyp rebuild`. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.\n\n## Source: ossf-package-analysis (5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80)\nThe OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-07-09T23:02:02.157991377Z","published":"2026-07-09T16:34:31Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-09T17:19:23.431446063Z","source":"amazon-inspector","modified_time":"2026-07-09T16:49:41Z","sha256":"1c4b3bf7033e97a761dda8961152a0325d3eb9e89b6cddc4b838176ae13e0568","versions":["1.2.0"],"id":"IN-MAL-2026-009320"},{"import_time":"2026-07-09T17:19:23.328713519Z","source":"amazon-inspector","modified_time":"2026-07-09T16:49:33Z","id":"IN-MAL-2026-009319","versions":["1.3.0"],"sha256":"925481cdd4c7bb74f55623377798b53978d16a19b67d4c9e869c042b716b59cb"},{"import_time":"2026-07-09T17:19:23.555445771Z","source":"amazon-inspector","modified_time":"2026-07-09T16:49:51Z","id":"IN-MAL-2026-009321","versions":["1.4.0"],"sha256":"aa83c8718f9869244a68bd577a3e013e16428235357ae774ad8968c101cede32"},{"import_time":"2026-07-09T17:19:21.081057459Z","source":"amazon-inspector","modified_time":"2026-07-09T16:34:31Z","id":"IN-MAL-2026-009303","versions":["1.0.0"],"sha256":"b7b1ed48fcae410e28bdade3bf5a715b8c4b1390e43591f8263964d8ee302b43"},{"import_time":"2026-07-09T17:19:16.423308005Z","source":"ossf-package-analysis","modified_time":"2026-07-09T16:56:47Z","versions":["1.5.2"],"sha256":"5f02ee2873da4d092fe8c8cc7418db3d2c661a64e5015eb0505fe26e5979da80"},{"import_time":"2026-07-09T17:19:16.669670167Z","source":"ossf-package-analysis","modified_time":"2026-07-09T17:09:06Z","versions":["1.3.0"],"sha256":"73d50f95c05f103c28463abdeff6ebf402d5a23abdc0ef3429d20a105237c966"},{"import_time":"2026-07-09T17:19:16.548586759Z","source":"ossf-package-analysis","modified_time":"2026-07-09T17:04:41Z","versions":["1.5.0"],"sha256":"bf2530ede2ed0c04e03f8810e9ca789a38102fdf0cdeb61dd629cb1b522accd0"},{"source":"amazon-inspector","import_time":"2026-07-09T21:03:51.208656795Z","modified_time":"2026-07-09T21:02:54Z","id":"IN-MAL-2026-009404","versions":["1.6.0"],"sha256":"162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac"},{"import_time":"2026-07-09T21:03:50.995180692Z","source":"amazon-inspector","modified_time":"2026-07-09T20:43:23Z","id":"IN-MAL-2026-009399","versions":["1.5.2"],"sha256":"17546bb5a46f94f7604006011f2c9f5ba4c1ad03811e93670ab6957cb74c7fc4"},{"source":"amazon-inspector","import_time":"2026-07-09T22:56:37.15114829Z","modified_time":"2026-07-09T22:52:42Z","id":"IN-MAL-2026-009588","versions":["1.5.5"],"sha256":"4eab0605359a6944c7d4b87b70c5f858040f5e3e6869c2d15ea2ea11c690a945"},{"import_time":"2026-07-09T22:56:36.97831884Z","source":"amazon-inspector","modified_time":"2026-07-09T22:52:28Z","id":"IN-MAL-2026-009586","versions":["1.5.4"],"sha256":"90b80b7f518a8ab921cfdbd8eaffb2a84bff97d11ebd5c9f0623ad67891808cf"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.6.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.5.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.5.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nonenull1/v/1.5.4"}],"affected":[{"package":{"name":"nonenull1","ecosystem":"npm","purl":"pkg:npm/nonenull1"},"versions":["1.2.0","1.3.0","1.4.0","1.0.0","1.5.2","1.5.0","1.6.0","1.5.5","1.5.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nonenull1/MAL-2026-10090.json","indicators":{"evidence_files":[{"tlsh":"61c08038d53c4c5015c51418411dd441f8514153444e6d45f9cd543c4fa40062c5cbdd","sha256":"66847ccf16dfa4a8586414a7d681b0863b0999507b87f5db0388960c17136878","path":"binding.gyp"}],"package_integrity":[{"hashes":{"sha1":"edf2a3b90ea98fa2212cdf8900472505f7120d4e","sha512_sri":"sha512-nvMf/vvu8SCRundblSdFb3Aohj4vYFYxlcVfLmzNF8iYr0oKgIjaZ199vEes9cqeqTxHNOWh5hsukYTpJE+8ow=="},"filename":"nonenull1-1.2.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}