Potential security threat detected in build errors in a fresh create-react-app install (script accessing “/initrd.img”, “/vmlinuz” and others)

I’ve already posted this issue in https://stackoverflow.com/questions/64483296/react-apps-build-output-concerning-build-errors-about-initrd-img-and-vmlinuz but I thought this was serious and urgent enough that CRA maintainers should be notified now.

After I have created a new app with create-react-app or Razzle, error messages appear at build time which are quite concerning, security-wise:

[Error: ENOENT: no such file or directory, stat '/initrd.img'] {
  errno: -2,
  code: 'ENOENT',
  syscall: 'stat',
  path: '/initrd.img'
}

Sometimes, a few other messages appear, with “/vmlinuz” “/initrd.img.old”, “/vmlinuz.old” and “.steampath” instead.

Theses messages appear any time there’s a build error (any build error that I generate).

This is basically the same problem as described in https://stackoverflow.com/questions/63165044/vue-cli-outputting-very-concerning-error-security-question (but I was told to ask a new question). There were testimonies of three people having the same error messages in that thread.

I don’t think there would be any valid reason for a React build script to stat the Linux kernel and a Steam directory, so there might be a malicious package at play here.

This only happens with npm, not yarn. (If your app has been created by CRA with yarn, you should do rm -rf node_modules && rm -rf yarn.lock && npm install);

The most minimal setup I could achieve while trying to isolate the culprits was:

• creating a brand new app with create-react-app with npx create-react-app
• and then generating an arbitrary build error in index.js, adding something like: import "nonexistent";

When I do that, I see the stat '/initrd.img'error mentioned above.

I’d like to know if you don’t see the errors after executing the same exact steps. That would probably mean that it doesn’t come from the packages installed but from elsewhere in my system.

It cannot come from my Node.js setup though, because I deleted my $HOME/.nvm, $HOME/.npm $HOME/node_modules, $HOME/.yarn and $HOME/.config/yarn before redoing the steps below.

There aren’t many similar testimonials about this on the web, apparently. A bit more with “/.steampath” though.

I reported the issue to security@npmjs.com. They haven’t replied yet.

If there is indeed a malicious script in the dependency tree of react-create-app (and Razzle), it should be investigated urgently.

Environment: Node 14.14 installed with nvm 0.36.0 npm 6.14.8 create-react-app 3.4.1 and 4.0.0-next.98 Kubuntu 20.04