← Home

nicki

npm Repository Homepage
1
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

coderaiser

Keywords

uidnamepasswd

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): Package's explicit purpose is reading /etc/passwd to resolve UIDs to usernames; not credential harvesting. ai
semgrep semgrep:child-process-import AI (semgrep): Used in darwin.js to query macOS user info; consistent with the package's documented purpose. ai

Versions (showing 1 of 1)

Version Deps Published
6.1.1 1 / 8

v6.1.1

4 findings
HIGH etc-passwd-access: lib/nicki.js:6 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/coderaiser/nicki/blob/2f6c82358f371b17e22df24dc64bb7d20a753565/lib/nicki.js#L6 4 | 5 | const ischanged = require('ischanged'); > 6 | const FILE = '/etc/passwd'; 7 | 8 | const {platform} = process;

HIGH etc-passwd-access: lib/nicki.js:40 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/coderaiser/nicki/blob/2f6c82358f371b17e22df24dc64bb7d20a753565/lib/nicki.js#L40 38 | 39 | /** Функция парсит uid и имена пользователей > 40 | * из переданного в строке вычитаного файла /etc/passwd 41 | * и возвращает массив обьектов имён и uid пользователей 42 | * @param passwd - строка, в которой находиться файл /etc/passwd

HIGH etc-passwd-access: lib/nicki.js:42 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/coderaiser/nicki/blob/2f6c82358f371b17e22df24dc64bb7d20a753565/lib/nicki.js#L42 40 | * из переданного в строке вычитаного файла /etc/passwd 41 | * и возвращает массив обьектов имён и uid пользователей > 42 | * @param passwd - строка, в которой находиться файл /etc/passwd 43 | */ 44 | function get(passwd) {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.