cache-poisoning-pwn-demo @0.1.29

Summary

The package's postinstall hook ( node -e "try { require('./dist/postinstall.js'); } catch(e) {}" ) loads dist/postinstall.js, which bundles a poisoned is-number module whose top-level IIFE unconditionally calls child_process.exec with a platform-specific command: open -a Calculator on macOS, calc.exe on Windows, gnome-calculator / xcalc on Linux. The same IIFE is also present in dist/index.js (the package's main entry), so any consumer that does require('cache-poisoning-pwn-demo') or import s it will also spawn a child process with no user consent. The package self-describes as a supply-chain attack demonstration. While today's payload spawns only a calculator, the mechanism is a fully functional install-time and import-time arbitrary-command executor: any installer running npm install or any downstream library that transitively requires this package will execute the hardcoded command in the installer's context. The calculator is a demonstration payload; the delivery primitive is a real attack.

Source: amazon-inspector (dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e)