{"id":"MAL-2026-4647","summary":"Malicious code in prjct-cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (72b60bff5e0e18ecdc993dc505651612acba538fd6c5e46c4ea69619c453f8f9)\nOn `npm install`, scripts/postinstall.js invokes scripts/ensure-bun.sh, which runs `curl -fsSL https://bun.sh/install | bash` with no version pin and no hash/signature verification. The bin shim (bin/prjct) subsequently prefers the freshly installed `bun` over `node` and uses it to execute the package's sibling dist/bin/prjct.mjs. This is the alternate-runtime-dropper shape: arbitrary bytes served by the upstream URL at install time become a runtime that then executes package code, bypassing Node-aware tooling and any pinned-version assumptions. Whatever bun.sh serves at the moment of install is granted execution on the installer's machine. Even though the destination is the genuine Bun publisher, the unpinned curl|bash pattern means the installer has no way to verify what bytes are executed; a future compromise of bun.sh, a TLS interception, or a mutable installer script change all silently ship arbitrary code into the install. The bin shim additionally mutates $HOME (writing into ~/.claude, ~/.codex, ~/.prjct-cli, creating symlinks in $HOME) on every invocation — content is package-owned and matches the advertised AI-agent integration purpose, but it is aggressive install practice worth flagging.\n","modified":"2026-06-26T12:26:01.285886193Z","published":"2026-05-20T08:34:26Z","withdrawn":"2026-06-22T18:46:10Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003504","sha256":"72b60bff5e0e18ecdc993dc505651612acba538fd6c5e46c4ea69619c453f8f9","modified_time":"2026-05-20T08:34:26Z","import_time":"2026-05-26T05:50:45.104566049Z","versions":["2.21.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/prjct-cli/v/2.21.0"}],"affected":[{"package":{"name":"prjct-cli","ecosystem":"npm","purl":"pkg:npm/prjct-cli"},"versions":["2.21.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"8b01deb81c6a4a5000b513c556209bd5ca1009e8","sha512_sri":"sha512-UTsTKm4l/pjFfgPSt0Hb40mfPDv2x6ju+mCvZjUsFe19J7NTdJMoCZUSttKlmsa0clwJf+oOTUI7VjRAXm0oUw=="},"filename":"prjct-cli-2.21.0.tgz"}],"evidence_files":[{"path":"scripts/ensure-bun.sh","tlsh":"6e11827392409a323c0803a29696621f7786332b0c40bc2670ff6551331b66a71e7f36","sha256":"a428d6b2df380bec528df0c2bab542cf394508307bae9afcde6eb99a028e14fc"},{"sha256":"7e2c2dd00e12c696a5bf106dd4fac180de7aa36112ab13d17f13052a26e64bdb","tlsh":"3fc1a76bf8146a31314480ac49c5f1857b8a41331925bc54b1be9b593f39bd6817e3bb","path":"bin/prjct"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/prjct-cli/MAL-2026-4647.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}