OSV ID
MAL-2026-10679
Ecosystem
npm
Summary
Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented rakibox push command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a push on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.
Source: amazon-inspector (8c59dad78f7e47be7f92d7ab89e245bb096f2e4f8679e73f00934016f1823625)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.