evil-pkg @1.0.1

Summary

package.json declares "bin": { "node": "./shim.js" } , which causes npm to place a node symlink inside node_modules/.bin/ . Because npm prepends node_modules/.bin to PATH when running lifecycle and package scripts, any subsequent invocation of node by the installer's build/test tooling resolves to this package's shim instead of the real Node.js runtime. The shim file shim.js begins with #!/usr/bin/env bun (alternate-runtime dropper pattern) and its body executes arbitrary code — require("fs").writeFileSync("/tmp/.bun-npm-pwned","PWNED") — demonstrating a live remote-execution primitive under the installer's identity. Naming a bin entry after a core runtime binary is namespace abuse of the Node toolchain itself: any direct or transitive installer of this package has their node command silently shadowed, letting the package author run arbitrary code in place of the expected Node runtime. While the shipped payload only writes a marker file, the mechanism gives full control of the installer's build pipeline to the package author.

Source: amazon-inspector (bf5806c778f7f49aba80d58a718ed64b09e714e34caa649874727cda5ed92831)