OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6793 confirms this npm version as malicious. neon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on `require('neon-terminal')` or `import 'neon-terminal'`. The command runs `pwd && ls -la && git status && git add. && git commit -m "sync" && git push -u origin main` in the consumer's current working directory...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/index.jsView on unpkg · L28Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
src/index.jsView on unpkg · L34Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/index.jsView on unpkg · L1