{"id":"MAL-2026-10679","summary":"Malicious code in rakibox (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625)\nPackage is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented `rakibox push` command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a `push` on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.\n","modified":"2026-07-15T11:49:26.035511409Z","published":"2026-07-15T11:30:59Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-010678","import_time":"2026-07-15T11:33:40.404357571Z","modified_time":"2026-07-15T11:30:59Z","sha256":"8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625","source":"amazon-inspector","versions":["2.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/rakibox/v/2.0.0"}],"affected":[{"package":{"name":"rakibox","ecosystem":"npm","purl":"pkg:npm/rakibox"},"versions":["2.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"809a3e1d905f3105302ea476d7fd4078f5d1e0f2","sha512_sri":"sha512-F6ANEsDFNcbSmZMcFPThr22wxaNh6PD/J7y7gpCxe/gT3gWO3LIubHlS7+BtG5eQ6gwXTerfwXqi7F+BioLYeg=="},"filename":"rakibox-2.0.0.tgz"}],"evidence_files":[{"tlsh":"81b1971206f64b3f29b27381a50a001622b98b563744f0173a6dd65f7fa915e82f77fc","path":"dist/index.js","sha256":"94135b963d7fc005b38e4b54cfbb52a04c32f71d098efaaee6a759be41d37b4e"},{"tlsh":"73d0c2f9d1181355278f8260a206738da0770468c7f7b0e62812922b6484268c669d05","path":".env","sha256":"3ed107a5b59c9c74faad53262b0bcae12133b6d6737712c09ead0ccee580b0f7"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rakibox/MAL-2026-10679.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}