MAL-2026-10407: Malicious code in awesome-terminal (npm)
The npm package awesome-terminal version 1.0.3 contains malicious code that executes arbitrary remote code during installation. It fetches an unverified payload from a remote URL, extracts it, runs npm install on it, and executes code automatically, enabling remote code execution on any machine installing this package. The package's advertised functionality does not align with the actual code behavior, indicating a deliberate attempt to disguise the malicious activity.
AI Analysis
Technical Summary
The npm package [email protected] includes a postinstall script that downloads a tarball from an untrusted remote JSON configuration URL, extracts it, runs npm install within the extracted directory, and then requires and executes a JavaScript module. This process occurs automatically during npm install, providing a direct remote code execution vector. The fetched payload is unpinned, unsigned, and unverified, making it a high-risk supply chain attack. The package's README claims it is an ASCII mascot library, but the actual code exports staking helpers unrelated to the advertised purpose, suggesting the malicious code is disguised as legitimate functionality.
Potential Impact
Any system that installs [email protected] is vulnerable to remote code execution at install time, allowing an attacker to execute arbitrary code with the privileges of the installing user. This can lead to system compromise, data theft, or further malware deployment. The unverified and dynamic nature of the payload increases the risk and unpredictability of the attack.
Mitigation Recommendations
No official patch or remediation is currently available. Users and organizations should avoid installing [email protected]. If already installed, remove the package and audit affected systems for compromise. Monitor vendor advisories for updates or fixes. Due to the nature of the threat, the safest mitigation is to not use this package version.
MAL-2026-10407: Malicious code in awesome-terminal (npm)
Description
The npm package awesome-terminal version 1.0.3 contains malicious code that executes arbitrary remote code during installation. It fetches an unverified payload from a remote URL, extracts it, runs npm install on it, and executes code automatically, enabling remote code execution on any machine installing this package. The package's advertised functionality does not align with the actual code behavior, indicating a deliberate attempt to disguise the malicious activity.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The npm package [email protected] includes a postinstall script that downloads a tarball from an untrusted remote JSON configuration URL, extracts it, runs npm install within the extracted directory, and then requires and executes a JavaScript module. This process occurs automatically during npm install, providing a direct remote code execution vector. The fetched payload is unpinned, unsigned, and unverified, making it a high-risk supply chain attack. The package's README claims it is an ASCII mascot library, but the actual code exports staking helpers unrelated to the advertised purpose, suggesting the malicious code is disguised as legitimate functionality.
Potential Impact
Any system that installs [email protected] is vulnerable to remote code execution at install time, allowing an attacker to execute arbitrary code with the privileges of the installing user. This can lead to system compromise, data theft, or further malware deployment. The unverified and dynamic nature of the payload increases the risk and unpredictability of the attack.
Mitigation Recommendations
No official patch or remediation is currently available. Users and organizations should avoid installing [email protected]. If already installed, remove the package and audit affected systems for compromise. Monitor vendor advisories for updates or fixes. Due to the nature of the threat, the safest mitigation is to not use this package version.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10407
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ad9c68715ace438f3cf2
Added to database: 07/13/2026, 09:19:24 UTC
Last enriched: 07/13/2026, 09:27:28 UTC
Last updated: 07/13/2026, 09:27:28 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.