evil-pkg @1.0.5
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC
OSV ID
MAL-2026-6374
Ecosystem
npm
Summary
Package declares "bin": {"node": "./shim.js"} in package.json, which registers shim.js as the node command in node_modules/.bin . In any environment where node_modules/.bin is prepended to PATH (notably Bun, but also any shell or tool that resolves binaries through the local bin directory), subsequent invocations of node — including those made by other packages' lifecycle scripts during the same install — will execute shim.js instead of the real Node.js runtime. When triggered, shim.js writes /tmp/.bun-npm-pwned and prints a hijack banner to stderr. The current payload is a benign marker, but the mechanism is a fully functional unconsented code-execution channel on the installer's machine: any code placed in shim.js would run with the installer's privileges whenever a sibling package invokes node during install. The package's own README markets this behavior as a PATH-poisoning attack proof-of-concept ( BunnyHijack ) and explicitly notes that a real attacker would use the same vector to exfiltrate .env , ~/.ssh , and ~/.npmrc . Hijacking a core runtime command name is not a legitimate use of the bin field and constitutes a deliberate supply-chain attack mechanism shipped to the registry.
Source: amazon-inspector (9fafd2d99f9cf4494726ad31b7444c029e6af96702066992ae4b0741c5239b1a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.