npm

test-pkg-yarn @1.0.2

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6718

Ecosystem

npm

Summary

package.json declares bin: { "node": "./shim.js" } , causing npm / yarn to symlink node in node_modules/.bin (and in a system bin dir on global install) to a package-controlled script. Subsequent invocations of node resolved through that PATH entry execute shim.js instead of the real Node.js runtime, redirecting any tooling that expects node to attacker-controlled code. In addition, scripts.postinstall runs bun shim.js || node shim.js , and shim.js unconditionally invokes OS commands at install time via child_process.execSync — spawning a GUI calculator ( calc on Windows, gnome-calculator on Linux, open -a Calculator on macOS), opening a URL in the user's browser, and writing a marker file to /tmp/.bun-npm-pwned . The package self-identifies as 'BunnyHijack PoC - yarn variant' with the console message '[!] PATH POISONED - test-pkg-yarn just hijacked your node command.' Although framed as a proof-of-concept and not currently exfiltrating data, the behavior is real install-time code execution against any developer who installs the package and a persistent hijack of the node command in PATH.

Source: amazon-inspector (40b74339843ee482f3f135dd43e855f1f30758e20857333e0e6153748888769a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.