{"id":"MAL-2026-10588","summary":"Malicious code in momenntjs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4)\nmomenntjs is a typosquat of momentjs whose package.json postinstall hook runs `node.init.js`. On `npm install`,.init.js enumerates roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, SSH_KEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*, config/credentials.json, and files under ~/.config matching token/cred/secret patterns. It also collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid) and POSTs the combined JSON payload to a hardcoded webhook.cool inbox at tender-deer-80. The package provides no legitimate functionality matching its name.\n","modified":"2026-07-14T14:49:14.356203891Z","published":"2026-07-14T14:00:27Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"id":"IN-MAL-2026-010518","import_time":"2026-07-14T14:37:52.739265241Z","modified_time":"2026-07-14T14:00:27Z","sha256":"6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/momenntjs/v/1.0.0"}],"affected":[{"package":{"name":"momenntjs","ecosystem":"npm","purl":"pkg:npm/momenntjs"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"momenntjs-1.0.0.tgz","hashes":{"sha512_sri":"sha512-nc6IjJ3B1qCdot2NpGBdNmQmpeago71/INfI/2JBYHLVWFhiW+sk/uIZh31KXXkSI6WMkHODZbP9Ro4ePtwWVw==","sha1":"d13a1a38466774751475d48e101671d4b3c8ba77"}}],"evidence_files":[{"path":".init.js","sha256":"6eb3939e40f85d1c3f591a3cd3a3edf0fd00c9b09fd7cb48f62e11edca3219b2","tlsh":"d9513181849e521310db2af168034c00a67ee59b3435e6e17e8f02249fddc6c85b3fbd"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/momenntjs/MAL-2026-10588.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}