1.0.2 • Published 3 years ago
setuid-test v1.0.2
This package is for testing only. Demonstrates that npm i setuid-test -g
will result in an executable with setuid bit set being installed on the target system. Basically NPM just unpacks a tar file preserving all permission bits. This is a potential vector for priviledge escalation ... but then again NPM will also run a bunch-a script from the package on installation anyway so ...