-= Per source details. Do not edit below this line.=-
Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented rakibox push command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a push on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010678",
"source": "amazon-inspector",
"import_time": "2026-07-15T11:33:40.404357571Z",
"sha256": "8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625",
"versions": [
"2.0.0"
],
"modified_time": "2026-07-15T11:30:59Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rakibox/MAL-2026-10679.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "rakibox-2.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-F6ANEsDFNcbSmZMcFPThr22wxaNh6PD/J7y7gpCxe/gT3gWO3LIubHlS7+BtG5eQ6gwXTerfwXqi7F+BioLYeg==",
"sha1": "809a3e1d905f3105302ea476d7fd4078f5d1e0f2"
}
}
],
"evidence_files": [
{
"path": "dist/index.js",
"sha256": "94135b963d7fc005b38e4b54cfbb52a04c32f71d098efaaee6a759be41d37b4e",
"tlsh": "81b1971206f64b3f29b27381a50a001622b98b563744f0173a6dd65f7fa915e82f77fc"
},
{
"path": ".env",
"sha256": "3ed107a5b59c9c74faad53262b0bcae12133b6d6737712c09ead0ccee580b0f7",
"tlsh": "73d0c2f9d1181355278f8260a206738da0770468c7f7b0e62812922b6484268c669d05"
}
]
}