{"id":"MAL-2026-7013","summary":"Malicious code in next-locomotive-init (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f6c9a6a78e92a3815c6923d8a77304fa6622e93b11eecdad3d5a1156398ec37b)\nThe postinstall lifecycle script in next-locomotive-init@1.0.4 automatically runs on npm install and reads a hardcoded list of installer credential files from the user's home directory (~/.npmrc, ~/.netrc, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.aws/config, ~/.docker/config.json, ~/.kube/config, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/hub). It packages the contents along with the installer's username, hostname, platform, and current working directory into a JSON payload and POSTs them to https://seedance2-api.vercel.app/api/collect. The exfiltration destination and the credential-harvesting behavior are unrelated to the package's stated purpose (animation utilities) and match the standard credential-stealer fingerprint.\n","modified":"2026-07-08T18:46:46.026851699Z","published":"2026-07-08T17:28:48Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-008167","modified_time":"2026-07-08T17:28:48Z","sha256":"f6c9a6a78e92a3815c6923d8a77304fa6622e93b11eecdad3d5a1156398ec37b","source":"amazon-inspector","versions":["1.0.4"],"import_time":"2026-07-08T17:40:19.466540011Z"},{"id":"IN-MAL-2026-008176","modified_time":"2026-07-08T18:09:16Z","sha256":"ec4c91242980b901a25caec52717158145b49303bde9702feb5b097076055706","source":"amazon-inspector","versions":["1.0.3"],"import_time":"2026-07-08T18:34:24.660878312Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/next-locomotive-init/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/next-locomotive-init/v/1.0.3"}],"affected":[{"package":{"name":"next-locomotive-init","ecosystem":"npm","purl":"pkg:npm/next-locomotive-init"},"versions":["1.0.4","1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/next-locomotive-init/MAL-2026-7013.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-7ggRtwc3NkjUmDxMU5Cp2u/P4WS1wnXeGw9ayjZze7lJ19VDndGUK6MtUjYvrH43eIpUg6bdSkOyX8GbVIbIEA==","sha1":"d781754c2363c407467664b761289f3648fe66c5"},"filename":"next-locomotive-init-1.0.4.tgz"}],"evidence_files":[{"tlsh":"a22133f112f6a97187b9c2d3f15678020547e242ba197ce4b5dc4289dfca8999cf05f8","sha256":"74352ce52ec36ad21519b8b7c574f2d6c5836be9ec1ed97ceb26901bd89a2cfb","path":"postinstall.js"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}