@tarojs/cli @4.2.1-beta.0

Summary

On npm install , the package's postinstall script performs a reachability GET to https://taro.jd.com/ and, on success, invokes the package's own bin/taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com . Internally this shells out to npm install @jdtaro/plugin-build-report-performance@latest --registry=http://registry.m.jd.com in the user's ~/.taro global-config directory. Two installer-harm properties hold simultaneously: (1) the dependency is unpinned ( @latest ) so the bytes resolved at install time are not under the publisher's control, and (2) the registry is reached over plain HTTP ( http://registry.m.jd.com ), so any on-path network attacker can substitute an arbitrary tarball whose own lifecycle scripts will execute as the installing user. The plugin is then persistently registered in the user's global Taro config ( TARO_GLOBAL_CONFIG_DIR ), so it is auto-loaded by every subsequent taro build invocation across all projects, with no prompt or opt-in. The name and registry suggest a JD build-telemetry plugin, but the installer-harm concern is independent of intent: unpinned + plain-HTTP fetch-and-execute at lifecycle time is a textbook MITM-to-RCE path.

Source: amazon-inspector (59b4e6cd0fe6bd16c6fb2bd04e6542a2a3052182d8815a08b124df56f2d9fde2)