While utilitarian, custom archives present significant security challenges. Attackers often craft malicious ZIP files—sometimes called "custom zip bombs"—designed to bypass standard antivirus scanners by exploiting semantic gaps between different parser implementations.
Malicious custom ZIP extraction logic has been identified in npm packages to steal credentials from developer workstations. Community and Creativity: Modding and Customization ENVIRONMENTAL IMPACTS OF THE DIGITAL ECONOMY custom.zip
Known as "Zip Slip," this vulnerability allows attackers to write arbitrary files to a system during the extraction process, potentially leading to remote code execution. potentially leading to remote code execution.