npm · Malicious package advisory
Malwareprjct-cli
MAL-2026-4647
Malicious code in prjct-cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (72b60bff5e0e18ecdc993dc505651612acba538fd6c5e46c4ea69619c453f8f9) On `npm install`, scripts/postinstall.js invokes scripts/ensure-bun.sh, which runs `curl -fsSL https://bun.sh/install | bash` with no version pin and no hash/signature verification. The bin shim (bin/prjct) subsequently prefers the freshly installed `bun` over `node` and uses it to execute the package's sibling dist/bin/prjct.mjs. This is the alternate-runtime-dropper shape: arbitrary bytes served by the upstream URL at install time become a runtime that then executes package code, bypassing Node-aware tooling and any pinned-version assumptions. Whatever bun.sh serves at the moment of install is granted execution on the installer's machine. Even though the destination is the genuine Bun publisher, the unpinned curl|bash pattern means the installer has no way to verify what bytes are executed; a future compromise of bun.sh, a TLS interception, or a mutable installer script change all silently ship arbitrary code into the install. The bin shim additionally mutates $HOME (writing into ~/.claude, ~/.codex, ~/.prjct-cli, creating symlinks in $HOME) on every invocation — content is package-owned and matches the advertised AI-agent integration purpose, but it is aggressive install practice worth flagging.
Compromised versions (1)
- 2.21.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.