This repo showcases how a difference in npm and pnpminstallation from tarballs can be exploited. The exploit is recorded in CVE-2023-37478.

The javascript package constructed here claims it prints out a nice message to the user. When installed with npm, this is true. However, the same package can be installed with pnpm and it will print out a mean message. One could imagine how this could be more maliciously exploited.

You can find an old, vulnerable version of pnpm here that works with this exploit. This is fixed in newer versions of pnpm and the fix can be seen here

exploitative_package_src has the source for the package definitely_benign_package. The folder bad_version (V0.1) contains malicious code, and good_version (V0.2) contains good code. make_tar.sh builds the tar package such that the bad version is added to the tarbal before the good version.

For a demo, move/clone the compiled definitely_benign_package.tgz into /use_demonstration/ and install via npm or pnpm, this can be shortcut with make pnpm/npm (make clean also works once you're done). Once it's installed, run the words of affirmation script with node words_of_affirmation.js.