Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Electerm Installer Allows Hackers to Run Malicious Commands
GHSA-wxw2-rwmh-vr8f
Summary
The Electerm installer has a security flaw that lets hackers execute malicious commands on your computer if you install it using npm. This is a serious risk for anyone who uses Electerm. To stay safe, update to the latest version of Electerm by running 'npm install -g electerm' again.
What to do
- Update zxdong262 electerm to version 3.3.8.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | zxdong262 | electerm |
< 3.3.8 Fix: upgrade to 3.3.8
|
Original title
electerm: electerm_install_script_CommandInjection Vulnerability Report
Original description
### Impact
_What kind of vulnerability is it? Who is impacted?_
**Two Command Injection vulnerabilities in electerm:**
1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec("open ...")` command without validation.
2. **Linux Installer** (`electerm_CommandInjection_01`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec("rm -rf ...")` command without validation.
**Who is impacted:** Users who run `npm install -g electerm`. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.
---
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Fixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm
---
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
no
_What kind of vulnerability is it? Who is impacted?_
**Two Command Injection vulnerabilities in electerm:**
1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec("open ...")` command without validation.
2. **Linux Installer** (`electerm_CommandInjection_01`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec("rm -rf ...")` command without validation.
**Who is impacted:** Users who run `npm install -g electerm`. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.
---
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Fixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm
---
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
no
ghsa CVSS3.1
9.8
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026