Skip to content

Add malicious npm package na-rony-test-karem#1356

Open
tolgaergin wants to merge 1 commit into
ossf:mainfrom
tolgaergin:codex/add-na-rony-test-karem-malware
Open

Add malicious npm package na-rony-test-karem#1356
tolgaergin wants to merge 1 commit into
ossf:mainfrom
tolgaergin:codex/add-na-rony-test-karem-malware

Conversation

@tolgaergin

Copy link
Copy Markdown

Adds a malicious-package OSV report for na-rony-test-karem@99.9.9.

Source report: https://firewall.lpm.dev/npm/na-rony-test-karem/v/99.9.9

Evidence summary:

  • package.json sets index.js as the package main entrypoint.
  • Importing/requiring index.js constructs a JSON payload containing os.userInfo().username, process.env.INIT_CWD || process.cwd(), and os.hostname().
  • index.js sends that payload via https.request to https://webhook.site/497a0910-6799-4216-976a-fe08154de047, leaking developer or CI host identity and project path context.
  • The package has a misspelled postinsatll script, so this is not a valid npm install hook; the malicious behavior is still reachable through the package main entrypoint.
  • LPM Firewall classified the package as malicious/block with low false-positive risk.

Local checks:

  • jq parse check passed.
  • Lightweight local advisory checks passed.
  • The unpkg source reference returned 200.
  • Could not run make validate locally because Go is not installed on this machine; GitHub Actions should run the official OpenSSF validator.

Signed-off-by: Tolga Ergin <tolgaergin@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant