MAL-2026-10679

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rakibox/MAL-2026-10679.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10679
Published
2026-07-15T11:30:59Z
Modified
2026-07-15T11:49:26.035511409Z
Summary
Malicious code in rakibox (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625)

Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented rakibox push command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a push on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010678",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T11:33:40.404357571Z",
            "sha256": "8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625",
            "versions": [
                "2.0.0"
            ],
            "modified_time": "2026-07-15T11:30:59Z"
        }
    ]
}
References
Credits

Affected packages

npm / rakibox

Package

Affected ranges

Affected versions

2.*
2.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rakibox/MAL-2026-10679.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "rakibox-2.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-F6ANEsDFNcbSmZMcFPThr22wxaNh6PD/J7y7gpCxe/gT3gWO3LIubHlS7+BtG5eQ6gwXTerfwXqi7F+BioLYeg==",
                "sha1": "809a3e1d905f3105302ea476d7fd4078f5d1e0f2"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "94135b963d7fc005b38e4b54cfbb52a04c32f71d098efaaee6a759be41d37b4e",
            "tlsh": "81b1971206f64b3f29b27381a50a001622b98b563744f0173a6dd65f7fa915e82f77fc"
        },
        {
            "path": ".env",
            "sha256": "3ed107a5b59c9c74faad53262b0bcae12133b6d6737712c09ead0ccee580b0f7",
            "tlsh": "73d0c2f9d1181355278f8260a206738da0770468c7f7b0e62812922b6484268c669d05"
        }
    ]
}