@nutui/nutui-react-taro @3.0.21-cpp

Summary

The package's postinstall.js invokes execSync('npm-usage-stats disable') and execSync('npm-usage-stats', { stdio: 'inherit' }) . The npm-usage-stats bin is provided by @jmfe/npm-usage-stats-tool , which is declared in package.json optionalDependencies pinned to "latest" (a mutable tag, not a fixed version or commit). On every npm install , npm resolves whatever code is currently published to that tag and the postinstall runs that code on the installer's machine with inherited stdio. Because the executed bytes are not shipped in this tarball, not version-pinned, and not hash-verified, the maintainer of the separate @jmfe/npm-usage-stats-tool package (or anyone able to publish to it) gains arbitrary code execution on every installer of @nutui/nutui-react-taro@3.0.21-cpp at install time. The off-channel -cpp version tag — which deviates from upstream @nutui/nutui-react-taro semver — and the @jmfe scope indirection (distinct from @nutui ) compound the provenance concern: installers consenting to a UI component library do not consent to running an unrelated, mutable telemetry binary fetched from a different scope.

Source: amazon-inspector (71ad42f4bfd953311c2d69f622cc6e8d5193a8852ac0bbc9ea0781ac6b651390)