CVE-2023-37478 showcases how a difference in npm and pnpm install packages that could be exploited by a well crafted tar.gz packge. This repo shows a demo.
pnpm vs npm exploit This repo showcases how a difference in npm and pnpminstallation from tarballs can be exploited The exploit is recorded in CVE-2023-37478 The javascript package constructed here claims it prints out a nice message to the user When installed with npm, this is true However, the same package can be installed with pnpm and it will print out a mean message O