registry  /  progerss-cli  /  3.12.0

progerss-cli@3.12.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5343 confirms this npm version as malicious. `progerss-cli` is a typosquat of the popular `cli-progress` package that ships an obfuscated payload executed automatically on install.

Advisory
MAL-2026-5343
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in progerss-cli (npm)
Details
`progerss-cli` is a typosquat of the popular `cli-progress` package that ships an obfuscated payload executed automatically on install. The package borrows trust from its victim: `repository.url` is set to `https://github.com/npkgz/cli-progress` — the legitimate cli-progress project's own repository — and the author field is set to `andidittrich` (the real maintainer). `package.json` defines `scripts.postinstall`: `node build-helper.js`, and declares `form-data` as its only runtime dependency (used for exfiltration). **build-helper.js (load gate):** polls up to 31 times at 1.5 s intervals for `form-data` to resolve (`require.resolve('form-data')`), then `require('./index.js')`. This delays payload execution until the exfiltration dependency is fully installed, evading naive install-time analysis that runs before dependencies settle. **index.js:** a ~273 KB obfuscated payload that performs data collection and `form-data`-based HTTP exfiltration. --- ## Source: amazon-inspector (ea4c1c3b9761cfe244327e4937c18585ef6fc901df383b24c3f0e148c195e8f7) Package name 'progerss-cli' resembles the common spelling 'progress-cli' via a two-character transposition, which is a typical typosquat shape. No exfiltration, dropper, credential access, or other installer-harm behavior was observed in the scanned files, and no lifecycle scripts were identified. Without a confirmed payload, name similarity alone is not sufficient to block, but the naming pattern warrants human review to assess intent and impact on installers who mistype a target package name. ## Source: ghsa-malware (7fde91dd01fb8e69b5fcf0130d7fc0e5d08b1820413452ed0d72ce42d06e6dab) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms progerss-cli@3.12.0 as malicious (MAL-2026-5343): Malicious code in progerss-cli (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory