-
Notifications
You must be signed in to change notification settings - Fork 4
Description
Describe the bug.
NOTE: I am thinking to report this bug on your bug bounty on hackenproof under name ssb07. If eligible, can i report it there.
The README of this repository instructs users to install a package named telescopeTest1 using:
npm install telescopeTest1However, this package is not published on the NPM registry and is not listed in package.json dependencies. This instruction could mislead users into installing an unintended package if a malicious actor publishes telescopeTest1 to NPM.
This poses a potential supply chain security risk known as dependency confusion, which can allow attackers to execute arbitrary code during install time by exploiting naming conflicts between internal packages and public NPM packages.
Describe the steps to reproduce the behavior
-
Visit the repository: https://github.com/AssetMantle/mantlejs
-
Locate the README instruction:
npm install telescopeTest1
- Attempt to install the package:
npm install telescopeTest1
-
If the package does not exist, NPM will return a 404 Not Found error.
-
If an attacker publishes telescopeTest1, the command will install and execute that package.
Expected behavior.
Impact
-
High Severity: Allows arbitrary code execution via supply chain compromise.
-
Developers following README instructions could unknowingly install malicious code.
-
Trust in the repository and its ecosystem may be undermined.
Suggested Remediation
-
Clarify Installation Instructions in the README:
- If the package is on GitHub, use:
npm install git+https://github.com/kombos/telescopeTest1.git- If it's a local package:
npm install ./path/to/telescopeTest1 -
Reserve the Package Name:
-
Optionally, publish a placeholder telescopeTest1 package to NPM to prevent misuse.
-
Use Scoped Names for internal tools (e.g., @assetmantle/telescope-test) to prevent namespace confusion.