JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 147
  • Score
    100M100P100Q77739F
  • License MIT

Security research - dependency confusion attribution PoC for Ubiquiti. Contact: https://hackerone.com/rcl-lore

Package Exports

  • encrypted-archive
  • encrypted-archive/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (encrypted-archive) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Security Research — Dependency Confusion PoC

This package was published as part of authorized security research on the Ubiquiti bug bounty program (HackerOne).

This is NOT malicious software. It performs a single DNS and HTTPS callback to a researcher-controlled server to prove that this package name is fetched by build systems. No data is exfiltrated, no system is modified.

Contact

What to do

If your build system fetched this package, it means your internal dependency resolution is vulnerable to dependency confusion. Please scope your private packages correctly and use .npmrc registry overrides.