Electerm patches install-time command injection on Linux

TL;DR - electerm < 3.3.8 has an install-time command injection: runLinux() appends a remote-controlled version string into an exec("rm -rf ...") shell command on Linux.

What happened

Electerm is an Electron-based terminal and SSH/SFTP client distributed via npm (including global installs).

CVE-2026-41501 is a command injection in github.com/elcterm/electerm/npm/install.js:130: the runLinux() function concatenates an attacker-controlled remote version string into an exec("rm -rf ...") command without validation. The advisory frames the threat model as an attacker who can control remote release metadata (a version string or release name) served by the project's update server, leading to arbitrary command execution during installation.

Install-time RCE is a high-leverage supply chain primitive. Dev machines and CI runners routinely run global npm installs, and the resulting blast radius is disproportionately large compared to a typical app-only bug.

Who is impacted

• Linux users who run npm install -g electerm.
• Installations of electerm with versions < 3.3.8.

What to do now

• Follow vendor remediation guidance and ensure you are on a release that is not in the affected range.

  "Patched versions 3.3.8"

• If you manage developer images or CI runners that install electerm, inventory where it is installed (global npm, base images, bootstrap scripts) and verify the installed version.
• Treat this as potential build/host compromise exposure if the installation path was reachable in your environment:
  • review install logs and shell history on developer workstations and CI runners
  • rotate credentials that may have been accessible on hosts that ran the installer
• Note on workarounds (source):

  "no"