npm · Malicious package advisory
Malware@nutui/nutui-react-taro
MAL-2026-4409
Malicious code in @nutui/nutui-react-taro (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (71ad42f4bfd953311c2d69f622cc6e8d5193a8852ac0bbc9ea0781ac6b651390)
The package's `postinstall.js` invokes `execSync('npm-usage-stats disable')` and `execSync('npm-usage-stats', { stdio: 'inherit' })`. The `npm-usage-stats` bin is provided by `@jmfe/npm-usage-stats-tool`, which is declared in `package.json` `optionalDependencies` pinned to `"latest"` (a mutable tag, not a fixed version or commit). On every `npm install`, npm resolves whatever code is currently published to that tag and the postinstall runs that code on the installer's machine with inherited stdio. Because the executed bytes are not shipped in this tarball, not version-pinned, and not hash-verified, the maintainer of the separate `@jmfe/npm-usage-stats-tool` package (or anyone able to publish to it) gains arbitrary code execution on every installer of `@nutui/nutui-react-taro@3.0.21-cpp` at install time. The off-channel `-cpp` version tag — which deviates from upstream `@nutui/nutui-react-taro` semver — and the `@jmfe` scope indirection (distinct from `@nutui`) compound the provenance concern: installers consenting to a UI component library do not consent to running an unrelated, mutable telemetry binary fetched from a different scope.
Compromised versions (1)
- 3.0.21-cpp
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.