Supply-chain threat intelligence
Risk score
92
Indexed incident for nonenull1 (npm).
The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — <!(node index.js...) with type: none — so that npm's automatic node-gyp rebuild step runs node index.js during install-time configure. index.js then collects installer identifiers via os.hostname(), os.userInfo().username, and the CI environment variables GITHUB_REPOSITORY and RUNNER_ENVIRONMENT, and POSTs a JSON body to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1). It also drops GYP_STEALTH_PWNED.txt into GITHUB_WORKSPACE (or cwd) whose content self-identifies as Stealth RCE via binding.gyp!. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit install/postinstall script masks the lifecycle execution — the trigger is binding.gyp presence, which npm resolves via node-gyp rebuild. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.
The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline