VDB
EN

MAL-2026-10679

Malicious code in rakibox (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625) Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented `rakibox push` command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a `push` on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / rakibox

No fixed version published yet for rakibox (npm). Pin to a known-safe version or switch to an alternative.

참고