npm · Malicious package advisory
Malwaretest-pkg-yarn
MAL-2026-6718
Malicious code in test-pkg-yarn (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (40b74339843ee482f3f135dd43e855f1f30758e20857333e0e6153748888769a)
package.json declares `bin: { "node": "./shim.js" }`, causing `npm`/`yarn` to symlink `node` in `node_modules/.bin` (and in a system bin dir on global install) to a package-controlled script. Subsequent invocations of `node` resolved through that PATH entry execute shim.js instead of the real Node.js runtime, redirecting any tooling that expects `node` to attacker-controlled code. In addition, `scripts.postinstall` runs `bun shim.js || node shim.js`, and shim.js unconditionally invokes OS commands at install time via `child_process.execSync` — spawning a GUI calculator (`calc` on Windows, `gnome-calculator` on Linux, `open -a Calculator` on macOS), opening a URL in the user's browser, and writing a marker file to `/tmp/.bun-npm-pwned`. The package self-identifies as 'BunnyHijack PoC - yarn variant' with the console message '[!] PATH POISONED - test-pkg-yarn just hijacked your node command.' Although framed as a proof-of-concept and not currently exfiltrating data, the behavior is real install-time code execution against any developer who installs the package and a persistent hijack of the `node` command in PATH.
Compromised versions (3)
- 1.0.2
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.