Summary
In late July/August 2017, a user named 'hacktask' published around 37 typosquatting packages on npm with names mimicking popular libraries, the most notable being 'crossenv' (impersonating cross-env). The package replicated the legitimate functionality but added an install-time snippet that harvested all environment variables, often containing tokens, keys and credentials, and exfiltrated them to npm.hacktask.net. crossenv was tracked as CVE-2017-16074; actual installs were limited (estimated under ~50) and npm removed roughly 40 packages.
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-X223-P2GF-V735
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
- MEDIUMGHSA-FG94-H982-F3MM
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
- HIGHGHSA-RJXQ-QQHF-8HWH
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
- MEDIUMGHSA-5JV2-G5WQ-CMR4
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
- HIGHGHSA-RM2V-H48J-895M
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
- HIGHGHSA-2J5H-858J-5MPF
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints