MSS-SK-2026-0005

Plugin npm install runs under sudo on Linux

Summary

src/modules.ts:359 spawns sudo npm install <plugin>. npm postinstall scripts therefore execute as root. A malicious or compromised plugin escalates to root via the install lifecycle.

Impact

Admin SignalK access becomes full root on the vessel computer.

Evidence — code citations

research/audits/signalk/validation/evidence/MSS-SK-2026-0005/

Proof of concept

research/audits/signalk/exploits/0005-sudo-postinstall.sh/

0005-sudo-postinstall.sh — single-file