OSV Malicious Advisory
scanned 10d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6374 confirms this npm version as malicious. package.json declares `"bin": { "node": "./shim.js" }`, which causes npm to place a `node` symlink inside `node_modules/.bin/`. Because npm prepends `node_modules/.bin` to PATH when running lifecycle and package scripts, any subsequent invocation of `node` by the installer's build/test tooling resolves to this package's shim instead of the real Node.js runtime. The shim file `shim.js` begins with `#!/usr/bin/env...
Advisory
MAL-2026-6374
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in evil-pkg (npm)
Details
package.json declares `"bin": { "node": "./shim.js" }`, which causes npm to place a `node` symlink inside `node_modules/.bin/`. Because npm prepends `node_modules/.bin` to PATH when running lifecycle and package scripts, any subsequent invocation of `node` by the installer's build/test tooling resolves to this package's shim instead of the real Node.js runtime. The shim file `shim.js` begins with `#!/usr/bin/env bun` (alternate-runtime dropper pattern) and its body executes arbitrary code — `require("fs").writeFileSync("/tmp/.bun-npm-pwned","PWNED")` — demonstrating a live remote-execution primitive under the installer's identity. Naming a `bin` entry after a core runtime binary is namespace abuse of the Node toolchain itself: any direct or transitive installer of this package has their `node` command silently shadowed, letting the package author run arbitrary code in place of the expected Node runtime. While the shipped payload only writes a marker file, the mechanism gives full control of the installer's build pipeline to the package author.
Decision reason
OpenSSF Malicious Packages via OSV confirms evil-pkg@1.0.1 as malicious (MAL-2026-6374): Malicious code in evil-pkg (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory