MAL-2026-10679
Malicious code in rakibox (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625) Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented `rakibox push` command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a `push` on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for rakibox (npm). Pin to a known-safe version or switch to an alternative.