An example typesquat that might become relevant with the introduction of npx
Last updated 3 years ago by kdex .
GPL-3.0 · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install gulo 
SYNC missed versions from official npm registry.


This project serves as an example security flaw that npx typos can lead to.

I ran gulo. Has my data been compromised?

Well, it might have been compromised, but gulo had nothing to do with it; check gulo's source code. It just logs a warning.

How can I prevent arbitrary code execution?

  • Do not use npx directly. Look up --shell-auto-fallback.
  • Learn to type

I don't care. What's the "worst" that could be executed?

Anything that your machine user can run. And even more using privilege escalation. Consider your passwords leaked, bank accounts emptied and identity stolen.

Current Tags

  • 1.0.2                                ...           latest (3 years ago)

2 Versions

  • 1.0.2                                ...           3 years ago
  • 1.0.1                                ...           3 years ago
Maintainers (1)
Today 0
This Week 0
This Month 0
Last Day 0
Last Week 6
Last Month 7
Dependencies (0)
Dev Dependencies (0)
Dependents (0)

Copyright 2014 - 2016 © |