Attacker Impact
An affected electerm install path can execute commands with the privileges of the user or automation account running the install [S2]. For most FixVibe customers, the relevant risk is developer workstations, CI jobs, setup scripts, or build images that install the affected npm package, not a remotely verified web-app route [S2].
Root Cause
The advisory is tracked as CWE-77 command injection in electerm installation behavior before 3.3.8 [S1][S2]. The package fixed the issue in 3.3.8 [S2].
Concrete Fixes
Upgrade electerm to 3.3.8 or newer, regenerate the active lockfile, and rebuild any Docker, CI, devcontainer, or onboarding cache that installs dependencies [S2]. If electerm is not required by the application or build workflow, remove it.
FixVibe coverage
FixVibe GitHub repo scans now check npm manifests and lockfiles for electerm versions before 3.3.8. A finding is reported as a version-based advisory with the file path, detected version or constraint, confidence, CVE/GHSA IDs, and fixed version. FixVibe does not execute install scripts or claim exploit confirmation from this static evidence.