{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeoman-environment/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yeoman-environment"],"_cs_severities":["high"],"_cs_tags":["rce","supply-chain","CVE-2026-42089","yeoman"],"_cs_type":"advisory","_cs_vendors":["yeoman"],"content_html":"\u003cp\u003eThe \u003ccode\u003eyeoman-environment\u003c/code\u003e package, a core component of the Yeoman scaffolding tool, is susceptible to arbitrary package installation due to insufficient user confirmation checks. Specifically, versions 2.9.0 through 6.0.0 are affected. This vulnerability (CVE-2026-42089) stems from the \u003ccode\u003einstallLocalGenerators()\u003c/code\u003e method, which directly calls \u003ccode\u003erepository.install()\u003c/code\u003e without prompting the user for confirmation. An attacker can exploit this by manipulating project configurations passed to downstream consumers, causing the installation of malicious packages. This can lead to arbitrary code execution during the CLI bootstrap process. The fix was released in version 6.0.1, which introduced an interactive confirmation prompt before installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious project configuration file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a downstream consumer application that utilizes \u003ccode\u003eyeoman-environment\u003c/code\u003e and passes the attacker-controlled project configuration to it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einstallLocalGenerators()\u003c/code\u003e function within \u003ccode\u003eyeoman-environment\u003c/code\u003e is triggered.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the \u003ccode\u003erepository.install()\u003c/code\u003e method is called without user confirmation, using package names supplied in the malicious configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker-specified packages are downloaded and installed from the npm registry (or a malicious mirror).\u003c/li\u003e\n\u003cli\u003eThe installed packages execute arbitrary code during the CLI bootstrap, potentially granting the attacker control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through scheduled tasks or startup scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network to compromise additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary code execution on systems using vulnerable versions of \u003ccode\u003eyeoman-environment\u003c/code\u003e. This can lead to complete system compromise, data theft, and further propagation of the attack within the network. The severity is high due to the potential for remote code execution without user interaction.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eyeoman-environment\u003c/code\u003e to version 6.0.1 or later to incorporate the fix that adds an interactive confirmation prompt before installation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect attempts to exploit CVE-2026-42089 by monitoring for suspicious npm package installations via CLI.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on project configuration files to prevent attackers from injecting malicious package names.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual or unexpected processes spawned by npm or node.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:12:44Z","date_published":"2026-05-26T23:12:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-yeoman-rce/","summary":"Versions of yeoman-environment ranging from 2.9.0 to before 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation, potentially leading to arbitrary package installation and code execution in downstream consumers when attacker-controlled project configuration is passed.","title":"yeoman-environment Vulnerable to Arbitrary Package Installation Leading to RCE (CVE-2026-42089)","url":"https://feed.craftedsignal.io/briefs/2026-05-yeoman-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Yeoman-Environment","version":"https://jsonfeed.org/version/1.1"}