0.0.1-security • Published 2 years ago
compromised-npm-package v0.0.1-security
compromised-npm-package
POC of a vulnerable app leaking environment variables via a compromised NPM package.
Do not install this package. Its only purpose is to demonstrate how an application using this package is vulnerable to leaking secrets from the server.
Full POC repo: https://github.com/maximivanov/nodejs-leak-env-vars
Blog post: How compromised NPM package can steal your secrets (POC + prevention)