The poly-kelly npm package version 3.5.3 includes a postinstall script that reads a remote JSON configuration from a URL specified in the package.json homepage field. This configuration contains a tarball URL which the script downloads, extracts into a local directory, installs dependencies, and executes a JavaScript function. There is no verification of the downloaded code's integrity or authenticity. The URL can be overridden via environment variables and downgraded from HTTPS to HTTP, allowing an attacker with network access to inject arbitrary JavaScript code that will run on any machine installing this package. The package metadata is minimal and suspicious, consistent with a malicious dropper designed to deliver alternate payloads during installation.

This vulnerability allows arbitrary remote code execution on any system that installs poly-kelly version 3.5.3. Because the postinstall script fetches and runs code from a remote server without validation, an attacker controlling the remote server or able to perform a man-in-the-middle attack can execute arbitrary JavaScript with the privileges of the installer. This can lead to full system compromise, data theft, or further malware deployment. The lack of author and repository information and the use of the homepage field as a command-and-control endpoint confirm the package's malicious intent.

No official patch or remediation is currently available for poly-kelly version 3.5.3. Users and organizations should avoid installing this package entirely. If already installed, remove it and any related files. Monitor for any unexpected network connections or processes spawned by this package. Use trusted sources and verify package integrity before installation. Consider using package allowlists or scanning tools to detect and block malicious npm packages. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.