Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in nonenull1 (npm)

nonenull1

Risk score

92

AI summary

Indexed incident for nonenull1 (npm).

Description

The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — <!(node index.js...) with type: none — so that npm's automatic node-gyp rebuild step runs node index.js during install-time configure. index.js then collects installer identifiers via os.hostname(), os.userInfo().username, and the CI environment variables GITHUB_REPOSITORY and RUNNER_ENVIRONMENT, and POSTs a JSON body to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (https://crabbing-thong-overhung.ngrok-free.dev/?gyp_rce=1). It also drops GYP_STEALTH_PWNED.txt into GITHUB_WORKSPACE (or cwd) whose content self-identifies as Stealth RCE via binding.gyp!. There are no shipped native sources for the GYP config to build; the binding.gyp exists solely to trigger the embedded JS at install. The absence of any explicit install/postinstall script masks the lifecycle execution — the trigger is binding.gyp presence, which npm resolves via node-gyp rebuild. This is a fully automatic install-time RCE and CI-reconnaissance beacon, with the ngrok destination indicating an author-controlled receiver.

The OpenSSF Package Analysis project identified 'nonenull1' @ 1.5.2 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

Technical details

Affected versions

=1.2.0=1.3.0=1.4.0=1.0.0=1.5.2=1.5.0=1.6.0=1.5.5=1.5.4=1.5.6

Indicators

  • affected version=1.2.075%
  • affected version=1.3.075%
  • affected version=1.4.075%
  • affected version=1.0.075%
  • affected version=1.5.275%
  • affected version=1.5.075%
  • affected version=1.6.075%
  • affected version=1.5.575%
  • affected version=1.5.475%
  • affected version=1.5.675%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents