Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in test-pkg-yarn (npm)

test-pkg-yarn

Risk score

92

AI summary

Indexed incident for test-pkg-yarn (npm).

Description

package.json declares bin: { "node": "./shim.js" }, causing npm/yarn to symlink node in node_modules/.bin (and in a system bin dir on global install) to a package-controlled script. Subsequent invocations of node resolved through that PATH entry execute shim.js instead of the real Node.js runtime, redirecting any tooling that expects node to attacker-controlled code. In addition, scripts.postinstall runs bun shim.js || node shim.js, and shim.js unconditionally invokes OS commands at install time via child_process.execSync — spawning a GUI calculator (calc on Windows, gnome-calculator on Linux, open -a Calculator on macOS), opening a URL in the user's browser, and writing a marker file to /tmp/.bun-npm-pwned. The package self-identifies as 'BunnyHijack PoC - yarn variant' with the console message '[!] PATH POISONED - test-pkg-yarn just hijacked your node command.' Although framed as a proof-of-concept and not currently exfiltrating data, the behavior is real install-time code execution against any developer who installs the package and a persistent hijack of the node command in PATH.

Technical details

Affected versions

=1.0.2=1.0.1=1.0.0

Indicators

  • affected version=1.0.275%
  • affected version=1.0.175%
  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents