{"_id":"@amrahulmail/ctf-lab-safe","_rev":"2-51dca80fc7c7c42f8cc4be5e64a27daa","name":"@amrahulmail/ctf-lab-safe","dist-tags":{"latest":"1.1.0"},"versions":{"1.0.0":{"name":"@amrahulmail/ctf-lab-safe","version":"1.0.0","keywords":["UNSAFE","DO-NOT-USE","security-research","supply-chain-attack-demo","ctf","test-lab"],"author":{"url":"DO NOT USE","name":"Security Research Lab"},"license":"MIT","_id":"@amrahulmail/ctf-lab-safe@1.0.0","maintainers":[{"name":"amrahulmail","email":"amrahulmail@gmail.com"}],"dist":{"shasum":"d153d425fd3c64725fe7380cc417f387c292f953","tarball":"https://registry.npmjs.org/@amrahulmail/ctf-lab-safe/-/ctf-lab-safe-1.0.0.tgz","fileCount":3,"integrity":"sha512-SaXwOk+/MW5UhOUFJdyDs7TqmvhaHOHFh9axbQgGP5614tSm8rEk8FlF5iK8UiPiLpwtJ2WG6lfL+24Jvb6rFQ==","signatures":[{"sig":"MEUCIQCP7ar0X1deJ/2VTiF1HFk4YyDQk4lp//R+S0GEea+uTwIgf34dZxScXXAZFjGoeZW57IYzHlA3eSZDRT2uyBBHr0Q=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":2969},"main":"index.js","_npmUser":{"name":"amrahulmail","email":"amrahulmail@gmail.com"},"_npmVersion":"11.9.0","description":"WARNING: CTF LAB PACKAGE — DO NOT USE IN PRODUCTION. Simulates a legitimate-looking direct dependency that secretly pulls in a malicious transitive dep.","directories":{},"_nodeVersion":"25.6.1","dependencies":{"@amrahulmail/ctf-lab-evil":"^1.0.0"},"_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/ctf-lab-safe_1.0.0_1776328228412_0.19073148989964572","host":"s3://npm-registry-packages-npm-production"}},"1.1.0":{"name":"@amrahulmail/ctf-lab-safe","version":"1.1.0","description":"WARNING: CTF LAB PACKAGE — DO NOT USE IN PRODUCTION. Simulates a legitimate-looking direct dependency that secretly pulls in a malicious transitive dep.","main":"index.js","dependencies":{"@amrahulmail/ctf-lab-evil":"^1.0.0"},"keywords":["UNSAFE","DO-NOT-USE","security-research","supply-chain-attack-demo","ctf","test-lab"],"author":{"name":"Security Research Lab","url":"DO NOT USE"},"license":"MIT","_id":"@amrahulmail/ctf-lab-safe@1.1.0","_nodeVersion":"25.6.1","_npmVersion":"11.9.0","dist":{"integrity":"sha512-8i30UlVZPiEfnC2ZDXAZG6AqWQkF3khRVUKtSGjfzDaRuo1Lo3ZHGTSSTbEnh5h8jmIfl97yr3hdFUzGP9219g==","shasum":"ae659c432ed592025a1b0f92e1884251c827ba38","tarball":"https://registry.npmjs.org/@amrahulmail/ctf-lab-safe/-/ctf-lab-safe-1.1.0.tgz","fileCount":3,"unpackedSize":2969,"signatures":[{"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","sig":"MEYCIQCdRip2Wx+2C6ScT0PV4h/Alt7bVjOQxFEq1W0QaDhkuwIhALDEK7zpWLE0AEu0RHykwRrNlBSN81mNXrRjGblJvBLj"}]},"_npmUser":{"name":"amrahulmail","email":"amrahulmail@gmail.com"},"directories":{},"maintainers":[{"name":"amrahulmail","email":"amrahulmail@gmail.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages-npm-production","tmp":"tmp/ctf-lab-safe_1.1.0_1776336420073_0.8044934096680896"},"_hasShrinkwrap":false}},"time":{"created":"2026-04-16T08:30:28.311Z","modified":"2026-04-16T10:47:00.330Z","1.0.0":"2026-04-16T08:30:28.546Z","1.1.0":"2026-04-16T10:47:00.204Z"},"author":{"name":"Security Research Lab","url":"DO NOT USE"},"license":"MIT","keywords":["UNSAFE","DO-NOT-USE","security-research","supply-chain-attack-demo","ctf","test-lab"],"description":"WARNING: CTF LAB PACKAGE — DO NOT USE IN PRODUCTION. Simulates a legitimate-looking direct dependency that secretly pulls in a malicious transitive dep.","maintainers":[{"name":"amrahulmail","email":"amrahulmail@gmail.com"}],"readme":"# @test-lab-unsafe/safe-dep\n\n> **WARNING: SECURITY RESEARCH / CTF LAB PACKAGE — DO NOT USE IN PRODUCTION**\n\nThis package is part of a supply-chain attack demonstration lab.\n\n## What it looks like\n\nA simple, innocent string utility library with 3 helper functions:\n\n- `capitalize(str)` — Capitalizes first letter\n- `truncate(str, maxLength)` — Truncates with ellipsis\n- `toKebabCase(str)` — Converts to kebab-case\n\nThe source code looks completely clean. No suspicious scripts. No obvious red flags.\n\n## The hidden danger\n\nThis package depends on `@test-lab-unsafe/evil-dep` as a runtime dependency. When you run `npm install @test-lab-unsafe/safe-dep`, npm also installs `evil-dep` — and its `postinstall` script fires automatically, **exfiltrating fake credentials to example.com before you can do anything about it.**\n\n## Usage (demo only)\n\n```js\nconst { capitalize, truncate, toKebabCase } = require('@test-lab-unsafe/safe-dep');\n\nconsole.log(capitalize('hello world'));     // Hello world\nconsole.log(truncate('a very long...', 10)); // a very lo...\nconsole.log(toKebabCase('myVariableName')); // my-variable-name\n```\n\n---\n**This package is for authorized security research and CTF/demo use only.**\n","readmeFilename":"README.md"}