registry  /  rakibox  /  2.0.0

rakibox@2.0.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10679 confirms this npm version as malicious. Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented `rakibox push` command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com...

Advisory
MAL-2026-10679
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rakibox (npm)
Details
Package is advertised as 'A minimalist Git wrapper tool'. When the user runs the documented `rakibox push` command, the CLI recursively walks the current working directory (skipping only node_modules,.git,.env, and.rakibox-stage.json) and uploads every file to a hardcoded Cloudflare R2 bucket named 'rakibox' at endpoint f96be84ba985f486f6c14f39115fcafc.r2.cloudflarestorage.com. The R2 access key ID and secret access key used for the upload are shipped inside the package's.env file, so the destination and credentials are baked in — the caller cannot redirect the push to their own storage. A user invoking a `push` on a git-wrapper CLI expects a version-control push to their own remote, not for their whole source tree (including any files not covered by the tiny hardcoded ignore list) to be mirrored into a bucket owned by the package author. The tarball also exposes the author's live R2 access key and secret, granting anyone who installs the package write access to that same bucket.
Decision reason
OpenSSF Malicious Packages via OSV confirms rakibox@2.0.0 as malicious (MAL-2026-10679): Malicious code in rakibox (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory