CVE-2026-42089: 
JavaScript 취약성 분석 및 완화

CVE-2026-42089 is a vulnerability in the yeoman-environment npm package that allows arbitrary package installation and code execution without user confirmation. Affecting versions >= 2.9.0 and < 6.0.1, the flaw was published on May 22, 2026, and added to the GitHub Advisory Database on May 26, 2026. It carries a CVSS v3.1 base score of 8.6 (High) (GitHub Advisory, Yeoman Advisory).

The root cause is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The vulnerable method installLocalGenerators() in src/environment-full.ts calls repository.install() directly with caller-supplied package names derived from project configuration files, without presenting any confirmation prompt to the user. In environments where an attacker can create or modify project configuration files (e.g., a shared development workspace or a repository with a malicious config), this path can be triggered during CLI bootstrap to install arbitrary npm packages. The fix introduced in commit 78d2af7 adds an interactive confirm prompt (defaulting to false) before proceeding with installation, and a forceInstall flag for intentional automation (Fix Commit, GitHub Advisory).

Successful exploitation allows a local attacker who can control project configuration files to trigger the silent installation of arbitrary npm packages during CLI bootstrap, resulting in code execution with the privileges of the user running the yeoman-environment CLI tool. The scope is marked as "Changed," meaning the impact can extend beyond the vulnerable component itself — a malicious package could compromise confidentiality, integrity, and availability of the host system. This is particularly dangerous in CI/CD pipelines or shared development environments where configuration files may be attacker-influenced (GitHub Advisory).

1. Prepare malicious configuration: The attacker creates or modifies a project configuration file (e.g., .yo-rc.json or equivalent) in a repository or shared workspace to reference a malicious or attacker-controlled npm package name as a generator dependency.
2. Deliver the configuration: The attacker places the malicious configuration in a location where a target developer will open or clone the project (e.g., a public or internal Git repository).
3. Trigger CLI bootstrap: The victim runs a Yeoman command (e.g., yo <generator>) in the project directory using a vulnerable version of yeoman-environment (>= 2.9.0, < 6.0.1).
4. Automatic package installation: The installLocalGenerators() method reads the attacker-controlled package name from the configuration and calls repository.install() without prompting the user, silently installing the malicious npm package.
5. Code execution: The installed malicious package executes arbitrary code with the privileges of the user running the CLI, potentially enabling data exfiltration, backdoor installation, or further lateral movement (Fix Commit, GitHub Advisory).

• File System: Unexpected or unfamiliar npm packages appearing in the local node_modules directory after running a Yeoman command; presence of a modified .yo-rc.json or project configuration file referencing unknown generator package names.
• Logs: npm install logs showing installation of packages not explicitly requested by the developer; yeoman-environment log output containing The following packages will be installed in the local repository: followed by an unrecognized package name.
• Process: Unexpected child processes spawned by the Node.js/Yeoman process (e.g., network connections, shell commands) immediately after CLI bootstrap; unusual outbound network connections from the development machine to npm registries or external hosts during yo command execution.

Upgrade yeoman-environment to version 6.0.1 or later, which introduces an interactive confirmation prompt (defaulting to false) before any local package installation via installLocalGenerators(). No workarounds are available for earlier versions. Developers should also audit project configuration files (e.g., .yo-rc.json) in shared or cloned repositories for unexpected generator package references before running Yeoman commands (GitHub Advisory, Fix Commit).

The vulnerability was discussed in the context of npm/PyPI supply chain threats, with coverage appearing on security radar platforms and a Reddit thread in the r/cybersecurity community shortly after disclosure. The fix was credited to maintainer mshima (remediation developer), UlisesGascon (coordinator), and 0xmrma (reporter), indicating coordinated responsible disclosure within the Yeoman project (GitHub Advisory).