Supply-chain threat intelligence
Risk score
92
Indexed incident for evil-pkg (npm).
Package declares "bin": {"node": "./shim.js"} in package.json, which registers shim.js as the node command in node_modules/.bin. In any environment where node_modules/.bin is prepended to PATH (notably Bun, but also any shell or tool that resolves binaries through the local bin directory), subsequent invocations of node — including those made by other packages' lifecycle scripts during the same install — will execute shim.js instead of the real Node.js runtime. When triggered, shim.js writes /tmp/.bun-npm-pwned and prints a hijack banner to stderr. The current payload is a benign marker, but the mechanism is a fully functional unconsented code-execution channel on the installer's machine: any code placed in shim.js would run with the installer's privileges whenever a sibling package invokes node during install. The package's own README markets this behavior as a PATH-poisoning attack proof-of-concept (BunnyHijack) and explicitly notes that a real attacker would use the same vector to exfiltrate .env, ~/.ssh, and ~/.npmrc. Hijacking a core runtime command name is not a legitimate use of the bin field and constitutes a deliberate supply-chain attack mechanism shipped to the registry.
Affected versions
Indicators
Timeline