Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in next-locomotive-init (npm)

next-locomotive-init

Risk score

92

AI summary

Indexed incident for next-locomotive-init (npm).

Description

The package's declared postinstall script reads the installer's OS username via os.userInfo().username and the machine hostname via os.hostname(), composes them into a <username>@<hostname> identifier, and POSTs them to a hardcoded remote endpoint at https://seedance2-api.vercel.app/api/agent/register together with a source: 'next-locomotive-init' tag. The package is advertised as animation utilities for Next.js templates; there is no functional or documented reason to transmit host identifiers to a third-party endpoint on install. The transmission fires automatically as a lifecycle script on npm install with no opt-in, no configuration, and no disclosure, giving the operator of that endpoint a census of every machine that installs the package — a beacon consistent with reconnaissance for follow-on targeting.

Technical details

Affected versions

=1.0.4=1.0.3=1.0.0=1.0.2=1.0.1

Indicators

  • affected version=1.0.475%
  • affected version=1.0.375%
  • affected version=1.0.075%
  • affected version=1.0.275%
  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents