Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in test-pkg-pnpm (npm)

test-pkg-pnpm

Risk score

92

AI summary

Indexed incident for test-pkg-pnpm (npm).

Description

On npm install, the package's postinstall script (node demo-clean.js) auto-executes two installer-side actions without consent. First, openDemo() platform-branches via execSync to open https://github.com/X3r0Day/BunnyHijack in the installer's default browser and to spawn the OS calculator (calc on Windows, open -a Calculator on macOS, gnome-calculator/kcalc on Linux) — the canonical calc.exe proof of unauthenticated code execution on the installer's host. Second, cleanup() walks every ancestor directory of INIT_CWD, process.cwd(), and the user's home directory, calling fs.rmSync(..., {recursive:true, force:true}) against paths inside each ancestor's node_modules, node_modules/.pnpm, node_modules/.bin/node* shims, ~/.npm/_npx, ~/.bun/install/cache, and tmpdir entries; cleanupPackageJson() then reads each ancestor package.json and rewrites it via fs.writeFileSync after deleting matching entries from dependencies, devDependencies, optionalDependencies, and peerDependencies. The destructive recursive-force-rm operates well outside the package's own directory and reaches the user's home tree, and the spawned-process primitive can be retargeted to any binary in a future release.

Technical details

Affected versions

=1.0.1=1.0.4

Indicators

  • affected version=1.0.175%
  • affected version=1.0.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents