MAL-2026-10090: Malicious code in nonenull1 (npm)
The npm package 'nonenull1' contains malicious code that exploits npm's automatic build process to execute arbitrary JavaScript code during installation. The package's binding.gyp file abuses GYP command-expansion syntax to run a script that collects environment and installer information and sends it to a malicious external server. It also creates a file indicating stealth remote code execution. This behavior occurs without explicit install scripts, making it a fully automatic install-time remote code execution and reconnaissance threat.
AI Analysis
Technical Summary
The 'nonenull1' npm package (versions 1.0.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.2, 1.5.4, 1.5.5, 1.6.0) is malicious. It declares 'gypfile: true' with no native sources and uses binding.gyp to trigger 'node index.js' during npm's 'node-gyp rebuild' install step. The index.js script collects system and CI environment data and exfiltrates it via HTTP POST to a hardcoded ngrok domain controlled by the attacker. It also drops a file named 'GYP_STEALTH_PWNED.txt' to mark the compromise. This technique bypasses explicit lifecycle scripts, enabling stealthy automatic install-time remote code execution and data exfiltration.
Potential Impact
This package enables automatic remote code execution during installation without explicit install scripts, allowing attackers to execute arbitrary code on the victim's system. It also collects and exfiltrates environment and installer information to an attacker-controlled server, potentially compromising sensitive CI environment data. This can lead to unauthorized access, data leakage, and further compromise of the development or deployment environment.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing or using the 'nonenull1' package in any of the affected versions. Review dependency trees for this package and remove or replace it. Monitor for any unexpected files such as 'GYP_STEALTH_PWNED.txt' in build or workspace directories as an indicator of compromise. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
MAL-2026-10090: Malicious code in nonenull1 (npm)
Description
The npm package 'nonenull1' contains malicious code that exploits npm's automatic build process to execute arbitrary JavaScript code during installation. The package's binding.gyp file abuses GYP command-expansion syntax to run a script that collects environment and installer information and sends it to a malicious external server. It also creates a file indicating stealth remote code execution. This behavior occurs without explicit install scripts, making it a fully automatic install-time remote code execution and reconnaissance threat.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'nonenull1' npm package (versions 1.0.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.2, 1.5.4, 1.5.5, 1.6.0) is malicious. It declares 'gypfile: true' with no native sources and uses binding.gyp to trigger 'node index.js' during npm's 'node-gyp rebuild' install step. The index.js script collects system and CI environment data and exfiltrates it via HTTP POST to a hardcoded ngrok domain controlled by the attacker. It also drops a file named 'GYP_STEALTH_PWNED.txt' to mark the compromise. This technique bypasses explicit lifecycle scripts, enabling stealthy automatic install-time remote code execution and data exfiltration.
Potential Impact
This package enables automatic remote code execution during installation without explicit install scripts, allowing attackers to execute arbitrary code on the victim's system. It also collects and exfiltrates environment and installer information to an attacker-controlled server, potentially compromising sensitive CI environment data. This can lead to unauthorized access, data leakage, and further compromise of the development or deployment environment.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing or using the 'nonenull1' package in any of the affected versions. Review dependency trees for this package and remove or replace it. Monitor for any unexpected files such as 'GYP_STEALTH_PWNED.txt' in build or workspace directories as an indicator of compromise. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10090
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba4c68715ace4357ea4e
Added to database: 07/10/2026, 09:24:28 UTC
Last enriched: 07/10/2026, 09:39:03 UTC
Last updated: 07/10/2026, 09:39:03 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.