VDB
KO

MAL-2026-10679

Malicious code in rakibox (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625) Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented `rakibox push` command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a `push` on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / rakibox

No fixed version published yet for rakibox (npm). Pin to a known-safe version or switch to an alternative.

References