Package Exports
- encrypted-archive
- encrypted-archive/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (encrypted-archive) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Security Research — Dependency Confusion PoC
This package was published as part of authorized security research on the Ubiquiti bug bounty program (HackerOne).
This is NOT malicious software. It performs a single DNS and HTTPS callback to a researcher-controlled server to prove that this package name is fetched by build systems. No data is exfiltrated, no system is modified.
Contact
- HackerOne: https://hackerone.com/rcl-lore
- If you received a callback from this package, please contact me via HackerOne.
What to do
If your build system fetched this package, it means your internal dependency resolution is vulnerable to dependency confusion. Please scope your private packages correctly and use .npmrc registry overrides.