Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in evil-pkg (npm)

evil-pkg

Risk score

92

AI summary

Indexed incident for evil-pkg (npm).

Description

Package declares "bin": {"node": "./shim.js"} in package.json, which registers shim.js as the node command in node_modules/.bin. In any environment where node_modules/.bin is prepended to PATH (notably Bun, but also any shell or tool that resolves binaries through the local bin directory), subsequent invocations of node — including those made by other packages' lifecycle scripts during the same install — will execute shim.js instead of the real Node.js runtime. When triggered, shim.js writes /tmp/.bun-npm-pwned and prints a hijack banner to stderr. The current payload is a benign marker, but the mechanism is a fully functional unconsented code-execution channel on the installer's machine: any code placed in shim.js would run with the installer's privileges whenever a sibling package invokes node during install. The package's own README markets this behavior as a PATH-poisoning attack proof-of-concept (BunnyHijack) and explicitly notes that a real attacker would use the same vector to exfiltrate .env, ~/.ssh, and ~/.npmrc. Hijacking a core runtime command name is not a legitimate use of the bin field and constitutes a deliberate supply-chain attack mechanism shipped to the registry.

Technical details

Affected versions

=1.0.0=1.0.1=1.0.5=1.0.4=1.0.2=1.0.3

Indicators

  • affected version=1.0.075%
  • affected version=1.0.175%
  • affected version=1.0.575%
  • affected version=1.0.475%
  • affected version=1.0.275%
  • affected version=1.0.375%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents