You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This package name was previously unclaimed on npmjs.com. In order to detect such misconfigurations. To avoid breaching the program policy, no further actions are taken.
If you need, I can uploaded my own code under the @lenster/data name.
Whenever @lenster/data is installed, my package.json script is executed on the machine where it is downloaded.
The script sends a callback to my server containing:
the originating IP
the machine's hostname
the current working directory
if package had been claimed by an attacker, this would have led to arbitrary code execution on the affected server, as well as allowing the attacker to add backdoors inside the affected project(s) during the build process.
Hi Lenster,
I was inspired by this article
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
https://www.npmjs.com/package/@lenster/data
This package name was previously unclaimed on npmjs.com. In order to detect such misconfigurations.
To avoid breaching the program policy, no further actions are taken.
If you need, I can uploaded my own code under the @lenster/data name.
Whenever @lenster/data is installed, my package.json script is executed on the machine where it is downloaded.
The script sends a callback to my server containing:
Vulnerable url:
https://github.com/lensterxyz/lenster/blob/main/packages/workers/snapshot-relay/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/workers/sts-generator/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/workers/achievements/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/workers/leafwatch/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/workers/metadata/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/workers/invite/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/workers/ens/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/snapshot/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/types/package.json
https://github.com/lensterxyz/lenster/blob/main/apps/prerender/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/lens/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/lib/package.json
https://github.com/lensterxyz/lenster/blob/main/packages/ui/package.json
https://github.com/lensterxyz/lenster/blob/main/apps/web/package.json
Vuln packages:
Impact
if package had been claimed by an attacker, this would have led to arbitrary code execution on the affected server, as well as allowing the attacker to add backdoors inside the affected project(s) during the build process.