{"_id":"cache-poisoning-pwn-demo","_rev":"19-ba9244757a67d8cc36268c04fa455b82","name":"cache-poisoning-pwn-demo","dist-tags":{"latest":"0.1.32"},"versions":{"0.1.0":{"name":"cache-poisoning-pwn-demo","version":"0.1.0","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.0","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"27fa629bb6c846d2540a17cbc1b88712d8571cbd","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.0.tgz","fileCount":4,"integrity":"sha512-6e8UTboVHO/sTy8HQZf39qPgM1asL/gCjhVEdckQTPAXlidWK28UFWZwzQ4om/IHkx3LMiqn9mRm126VKAG05A==","signatures":[{"sig":"MEUCIA4TjkdXW4sxvW9Zv2y5/dAh6S5icuosAA415oBa2aTDAiEAoXkdWOAqDoI7hTrh2IFrwwplb25hxSWA9HcJ1pp4FSc=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":9428},"main":"dist/index.js","gitHead":"3eced2ab58a613f39ae0983944ff38d59cc5301f","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.12.1","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.15.0","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.0_1778697103279_0.15849971535466967","host":"s3://npm-registry-packages-npm-production"}},"0.1.11":{"name":"cache-poisoning-pwn-demo","version":"0.1.11","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.11","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"971507c2d5ed5a3f915d5b54b8a6ce6c8474bc56","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.11.tgz","fileCount":4,"integrity":"sha512-DecK+dczcQrKGy6Hjh/0xi3bdRF9wN90CZ7yguw7h/xo2TyeSvdIFaTgnKLmUVrc5WHrQS/HQAGK1dCR6EwACg==","signatures":[{"sig":"MEUCIGA0SW+WfCaECBJ6WOUVDoyvmwlEeqeqh/H0IC456GH5AiEAlLq2h3YAxfmFgbyO/MIjPSo3wpMMtqN3hGMktGJNnK4=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.11","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":9679},"main":"dist/index.js","gitHead":"7180b0b80f6e797ac8d18671cc8f29afc7f798ea","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:248b5c8f-5d89-4233-8836-1225ba24736a"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.11_1778699930359_0.7293443824908163","host":"s3://npm-registry-packages-npm-production"}},"0.1.16":{"name":"cache-poisoning-pwn-demo","version":"0.1.16","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.16","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"ba65e34f57df38ec7a0a1bfb998d4635d128ee0a","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.16.tgz","fileCount":4,"integrity":"sha512-Zx7K7kN93qPIS8gDFqIqrKBF5+RbYVy3m9prjAoSgppqinATFEunWtClnv/jdXgEbq/ITijpYIHSgBiivcw1Bw==","signatures":[{"sig":"MEUCIA6qalt0WaQ9V1zDprbdliJTR8hE8nGvdQ2g2wQmxqYuAiEAqKdtgYgB8qJ18XB83LU5VOXk3grJX551a6MY1Jk9Hlg=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.16","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14002},"main":"dist/index.js","gitHead":"58132fed0b604e384463b390d2fec489ea49b68a","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.16_1778702948352_0.8047874409597298","host":"s3://npm-registry-packages-npm-production"}},"0.1.17":{"name":"cache-poisoning-pwn-demo","version":"0.1.17","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.17","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"a54c9877d1c881a23948a0badd465e4f04923fd2","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.17.tgz","fileCount":4,"integrity":"sha512-8fJoSPsYNKaGjzwCy2WrXmMtKD9hwJYg1lOgyTcV8EYmVZ6IYBkqKRVH1p/OZSk7hZqyw78aSjEZ3TI9x71GnA==","signatures":[{"sig":"MEYCIQCGLyKP0ZtbT4ZWBVIKYimpvY6wv9B6kZmHp3tKqf8MqQIhAMX5XeLCuhN2/ZIVT/F1i3Lo3Z0XC32fiIm+Ny7EOPOX","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.17","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14002},"main":"dist/index.js","gitHead":"70f97d27240cdf4bdad3bd5c88d092d3c4e25acc","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.17_1778703052070_0.2650336980185044","host":"s3://npm-registry-packages-npm-production"}},"0.1.18":{"name":"cache-poisoning-pwn-demo","version":"0.1.18","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.18","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"71e41b3e5292489b1152a16e3a21d812372c674b","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.18.tgz","fileCount":4,"integrity":"sha512-Y/V+/jsJrZdYsGL/9tZeYYZltfUdzpIJWwVF5Wm9Bd0dyANzPI7r7YIWDi+aLqBqB6MLeqxZiozaaSaUGzmI5Q==","signatures":[{"sig":"MEUCIQCc5I494tALXZEOs9ZX+IDW0DHOIANfjbBOPAi9+VXGZgIgbfuk1siYa/JTK/6z+o2UvzC8RYwklUTh/O9WfzrQ1bc=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.18","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":15116},"main":"dist/index.js","gitHead":"cd5dae6d31940150b5caf1df2b43bceefb197459","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.18_1778703217305_0.19501960117091266","host":"s3://npm-registry-packages-npm-production"}},"0.1.19":{"name":"cache-poisoning-pwn-demo","version":"0.1.19","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.19","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"5c2707ac180bfdf9f7e8703c550f2a2a7ee0439e","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.19.tgz","fileCount":4,"integrity":"sha512-8ZDaUGx0bNDp6HX9M/gOP5kGqerrBgpDZr5mAn0k2IYmuIttCzw9dhWxIBNmknknmUuZa3hMRTh0v7exsqQGXQ==","signatures":[{"sig":"MEYCIQCoWU9PNj2gcdPcG+jW116qp0H2gSHBuwgIsa0bQe7pJAIhANZb/dn+L98xN5uPV+Qcm1+EIhfgPGXxJqB7cFx8P0yM","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.19","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14002},"main":"dist/index.js","gitHead":"db6872d37dd04cfedd417ae988aab8c45d561201","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.19_1778703510638_0.07506750365673098","host":"s3://npm-registry-packages-npm-production"}},"0.1.20":{"name":"cache-poisoning-pwn-demo","version":"0.1.20","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.20","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"9c2bc09a250b10232564e09935c87d1728ae3f7b","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.20.tgz","fileCount":4,"integrity":"sha512-aifSEv/btRzHBkXR2ZDaD8/yFEkee6zIY9woeP6ptm6E6zY0xeJOq9W8X940yz+t8ejC+fhmSqtJBMYAfyAXaw==","signatures":[{"sig":"MEUCIHX77oH6SKHVsIhB8dq1Mv4S2aIWmDZAgoTBQVm5iO3eAiEAsEgCWeo02F82uG+XWPFhwNXmG7X5TZw3u5ura88XoWw=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.20","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14002},"main":"dist/index.js","gitHead":"440645f6190c2a85d6605b2e5c62e69b1bdbcad1","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.20_1778767800580_0.021361660373236724","host":"s3://npm-registry-packages-npm-production"}},"0.1.21":{"name":"cache-poisoning-pwn-demo","version":"0.1.21","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.21","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"af5522da7d6e0a3ceabaf33b295500814de59998","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.21.tgz","fileCount":4,"integrity":"sha512-ZoohbhII4d5yrlS06376009Nc9TFmi3B/6PvFJFvFkAbBL1fqvQEiTHUpyamih1fnvUDSjwLpigni/UpbCzCIQ==","signatures":[{"sig":"MEUCIQDtuD/ciQ2W+pZrmy3d7uMzJJdbTMXTWD5WWz3cIPy1mAIgAUPkvRKGuVdLGd1dyyFjtMWm787IAga/yMcoVijpCLU=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.21","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13089},"main":"dist/index.js","gitHead":"1cd064eff4575222fe5951fbf1a23fcccf843d01","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.21_1778768195814_0.10101253959834566","host":"s3://npm-registry-packages-npm-production"}},"0.1.22":{"name":"cache-poisoning-pwn-demo","version":"0.1.22","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.22","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"00befc8fdff7b2c5799f7a5b3564fcdb3e827ec5","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.22.tgz","fileCount":4,"integrity":"sha512-XZ0tYyGja6X9ni1p28Gw39FE/684H174PM+X5GCZ4wa2cX3lL4k2W93RTFpUfbaGpEkaTC+tIcOVUOxZElDBOg==","signatures":[{"sig":"MEQCIEOne9cmPaXeqn67ajxZ+7O/tC9j6S2h4xSR7dF3E8gvAiAvoysBhlBXne1PyAIU5vRMHrgwAfin8NMG9lTRrW6MHw==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.22","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13089},"main":"dist/index.js","gitHead":"783637eb52666cb542c589125267e4a696aa6cac","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.22_1778768823268_0.12467192976916541","host":"s3://npm-registry-packages-npm-production"}},"0.1.23":{"name":"cache-poisoning-pwn-demo","version":"0.1.23","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.23","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"404d407c246987fd9fd903701579611ffdef82f3","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.23.tgz","fileCount":4,"integrity":"sha512-4VBDvTCw+R+lnFkpZEvgE6qPcA7IJ1lsAAZyZB2QBrlneZXem55YfIVUClbdtSaZJwL4R9hrI4AxLE3WFbLKiQ==","signatures":[{"sig":"MEQCIFuo8nVMssWyc7+KAnwXcK13n29OlA7oRX9y7WD5ATrEAiBVLKBMgnadWgdgoaL1vrCAKtBadm6aowB8yzLCr6K4VA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.23","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13089},"main":"dist/index.js","gitHead":"62aa8caeacc0ae17966b5f2b9c868bd0ee37cbb4","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.23_1778769839287_0.4054327511924354","host":"s3://npm-registry-packages-npm-production"}},"0.1.24":{"name":"cache-poisoning-pwn-demo","version":"0.1.24","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.24","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"62e42d05b106d7f3b1c2e77dfcf4732774aad6d0","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.24.tgz","fileCount":4,"integrity":"sha512-01Bf5MVi0+5RkrsMhN5j1V8xFROeKjWhz6pjI2o2PIEWJ9b+VY6g/GEJ4Y4w2gJ6vpSSvxEq/ja6j3+mUkzNlA==","signatures":[{"sig":"MEYCIQDbUxAtDW7BRvlwqD10RnJDGwkh/gTzEN+7QjjaWNbhMQIhAJa+omNukF47Y7MsJ4LWXs3B91538NQtzV0QHlIpWog/","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.24","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13090},"main":"dist/index.js","gitHead":"c1efff1e6d075d5bdef482df2da1b677e1fe807b","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.12.1","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.15.0","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.24_1778770202625_0.06885784223720437","host":"s3://npm-registry-packages-npm-production"}},"0.1.25":{"name":"cache-poisoning-pwn-demo","version":"0.1.25","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.25","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"435be1ee046b1e0141e2b27d6d1bd9e6690251a7","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.25.tgz","fileCount":4,"integrity":"sha512-H5j9hjOYIQCd+6GA+sCNqsdEXg/oUEndO0RuCtzHNX8krY3Vz/IBwyktkQxEbWLEnP5H2CIPLEbNxYbgtIr1WA==","signatures":[{"sig":"MEUCIQDAn69i+YTQpjJYNgMzrgaA1i+daMrwk+5qmkcMb6eVRgIgOi5BsT1VbqP8b4SEz9gwFieXLR8yGAzQIKeyYVU21k0=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.25","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13090},"main":"dist/index.js","gitHead":"9635a8e0b3961e7ae61efa884fe4147f8b156367","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.25_1778770327168_0.10019928438823511","host":"s3://npm-registry-packages-npm-production"}},"0.1.26":{"name":"cache-poisoning-pwn-demo","version":"0.1.26","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.26","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"6c4c113ea9e62f3b0f6399e1bc08cf7ff4f869eb","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.26.tgz","fileCount":4,"integrity":"sha512-u+fSwMDBuHwpnsbp85ryR/ilnw9z6rRO4PNBmi2qR2INS3YUdnAMCZsdB/yECXHiFrmeO8b0wvu3dtHYyMDYVg==","signatures":[{"sig":"MEYCIQD5HV3tiXX0BfzRfdYvW1sLdCRQXt+9o9l/ai5apg2UCwIhAJdb5qVbsVxEJ9gwTnS9+7rbgE0y0ZpLsv3meWzxAQiI","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.26","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13058},"main":"dist/index.js","gitHead":"bad60d15333ee582456f6e09a5a8ca31b2dbab26","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.26_1778770662399_0.6864853996165181","host":"s3://npm-registry-packages-npm-production"}},"0.1.27":{"name":"cache-poisoning-pwn-demo","version":"0.1.27","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.27","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"6a90e0154722ee9252d356cf4dabd45a6c5b219a","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.27.tgz","fileCount":4,"integrity":"sha512-RR3FpRDvTBSQcRZr1Pe5S8ztcQEK0+m+xAPjX9Y+GejULDNpqmGBQDUJvUg0z6JOMXc2YTZ8BL4ggIlzB2Prmg==","signatures":[{"sig":"MEUCIQCoa0N6SEBNAd/4uh/Ctsl053nFfTCHnGzgUshPSb7mJAIgRNF3gjv9KwTH8gJjYKvlWhSWER3Yp9gdoOj9wUNkcVk=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.27","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14172},"main":"dist/index.js","gitHead":"f3986a20cf280ab7387ab9f7c1225f76e7c8f665","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.27_1778770903968_0.19726301088995157","host":"s3://npm-registry-packages-npm-production"}},"0.1.28":{"name":"cache-poisoning-pwn-demo","version":"0.1.28","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.28","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"cf70755c3644ad3d66b992b2ced24016d25d3f15","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.28.tgz","fileCount":4,"integrity":"sha512-e2g7ccpCVh07T0YdttzX8NU04yITa0ase6b2km7i/7QrHlGeldGZQNWh33BH11FV/mK+v8LM1nJuObNmwjuw/g==","signatures":[{"sig":"MEUCIQDpp/753JHL1H5RPdOVelWISmH3mPShZFuZBLbEPylD5AIge516OkNiDh2O97zvCX4UmZlrKMtdEbd32a6zbbKYM/A=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.28","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14172},"main":"dist/index.js","gitHead":"f2b63539abad422f96e035a56a45ef87de73a856","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.28_1778771047180_0.8033623074612979","host":"s3://npm-registry-packages-npm-production"}},"0.1.29":{"name":"cache-poisoning-pwn-demo","version":"0.1.29","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.29","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"09d8cc855a99ace23648aa6508bd243d46f4d4b3","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.29.tgz","fileCount":4,"integrity":"sha512-Dxn9iDu83fEU35Tbz89eKKfP9UuhD0uCsENLAIrIrXqGVSO1SlXr4g28vzWhKgdlviRp0MfVyhd9KBR6oCv2rA==","signatures":[{"sig":"MEUCIFtP4F+mWVQhOXVQCV899acu36C/xSjdCF4VvPSD20ojAiEAiJZ0r2cjAM1tJ7SLmsy2wd3qOk980QCkiEm9vqmJNbw=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.29","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":14172},"main":"dist/index.js","gitHead":"3d8b9d4e18441694a899e5f11b5f08ac22c9c411","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.29_1778771081064_0.3363527727341684","host":"s3://npm-registry-packages-npm-production"}},"0.1.30":{"name":"cache-poisoning-pwn-demo","version":"0.1.30","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.30","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"32612401f9b5c95d81397a2a49fd9e443778a4ab","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.30.tgz","fileCount":4,"integrity":"sha512-WZux6ZE0ICXK3t2RT5+T743ahcZZOFtiNo3cAOUsswqMupZRpIvtjLLQ3HZrcVU6PbPJONtg9l8N9W8aDt+QQg==","signatures":[{"sig":"MEQCIGv4/Bxkizs2sCqtqMY/FMum7zY4i9dqe5RJzfeTUhbDAiBfw3uBL0lXJWefVzup28RYlcQ4OzAVLT/34WGiUGCEhA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.30","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13058},"main":"dist/index.js","gitHead":"20b20a5f6b8df70803d4e329d86ea87a35fd3da2","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.12.1","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.15.0","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.30_1778777087567_0.16032925947447385","host":"s3://npm-registry-packages-npm-production"}},"0.1.31":{"name":"cache-poisoning-pwn-demo","version":"0.1.31","keywords":["demo","security","supply-chain","education"],"license":"MIT","_id":"cache-poisoning-pwn-demo@0.1.31","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"dist":{"shasum":"2b841d43755d81a49e56ef1c8f68f78522feef0b","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.31.tgz","fileCount":4,"integrity":"sha512-cFjY3QKDVcUbxm18XRJBOkIYce0+njZoQqnzzzg6W4vTJeJe3UxWjIvcApvpPQpd3qoLXbLZvh46pT2L8aa6xQ==","signatures":[{"sig":"MEUCIHpoTB9/VZejeqpjKQxeSfo2LvWvZxkL4EL4sNjE60KgAiEAqO+fqaKBtwiHWsfeABhieJsHPgl1FERkkvFvlUatkHM=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.31","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"unpackedSize":13059},"main":"dist/index.js","gitHead":"c0ddafa5b12199b88203d0ab44475d29e4b1d86e","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"repository":{"url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git","type":"git"},"_npmVersion":"11.11.0","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","directories":{},"_nodeVersion":"24.14.1","dependencies":{"is-number":"^7.0.0"},"_hasShrinkwrap":false,"devDependencies":{"esbuild":"^0.21.5"},"_npmOperationalInternal":{"tmp":"tmp/cache-poisoning-pwn-demo_0.1.31_1778785857185_0.03910919226057241","host":"s3://npm-registry-packages-npm-production"}},"0.1.32":{"name":"cache-poisoning-pwn-demo","version":"0.1.32","description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","keywords":["demo","security","supply-chain","education"],"homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","repository":{"type":"git","url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git"},"license":"MIT","main":"dist/index.js","scripts":{"build":"node scripts/build.js","prepare":"npm run build","postinstall":"node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\""},"dependencies":{"is-number":"^7.0.0"},"devDependencies":{"esbuild":"^0.21.5"},"gitHead":"9762f923ae377703019e87fe840b092d9ab59da5","_id":"cache-poisoning-pwn-demo@0.1.32","bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"_nodeVersion":"24.14.1","_npmVersion":"11.11.0","dist":{"integrity":"sha512-tfdgJiqDcQoQ21InBND1slsq74CZPefo7AMXHdcZ7dZkGKeX4qKYuoxPBzYbLUIFDf+WQtBDxqH0MbwUlUbnhw==","shasum":"fdebffa582b363c64908720e9287173200494d58","tarball":"https://registry.npmjs.org/cache-poisoning-pwn-demo/-/cache-poisoning-pwn-demo-0.1.32.tgz","fileCount":4,"unpackedSize":14173,"attestations":{"url":"https://registry.npmjs.org/-/npm/v1/attestations/cache-poisoning-pwn-demo@0.1.32","provenance":{"predicateType":"https://slsa.dev/provenance/v1"}},"signatures":[{"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","sig":"MEYCIQD6B+BQ7oskCQjUXW/Ni6jtijCS0dJaiAWB3xM4sAJqTwIhANNFvkM8B21rGDHJE0HLatZKNbTLEeRHat5fG1YqciQh"}]},"_npmUser":{"name":"GitHub Actions","email":"npm-oidc-no-reply@github.com","trustedPublisher":{"id":"github","oidcConfigId":"oidc:e8319253-da4b-4220-b361-b8f651a9cc82"}},"directories":{},"maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages-npm-production","tmp":"tmp/cache-poisoning-pwn-demo_0.1.32_1778786636190_0.13157753930620908"},"_hasShrinkwrap":false}},"time":{"created":"2026-05-13T18:31:43.217Z","modified":"2026-05-14T19:23:56.656Z","0.1.0":"2026-05-13T18:31:43.426Z","0.1.11":"2026-05-13T19:18:50.497Z","0.1.16":"2026-05-13T20:09:08.562Z","0.1.17":"2026-05-13T20:10:52.212Z","0.1.18":"2026-05-13T20:13:37.454Z","0.1.19":"2026-05-13T20:18:30.779Z","0.1.20":"2026-05-14T14:10:00.732Z","0.1.21":"2026-05-14T14:16:36.030Z","0.1.22":"2026-05-14T14:27:03.432Z","0.1.23":"2026-05-14T14:43:59.483Z","0.1.24":"2026-05-14T14:50:02.778Z","0.1.25":"2026-05-14T14:52:07.375Z","0.1.26":"2026-05-14T14:57:42.540Z","0.1.27":"2026-05-14T15:01:44.124Z","0.1.28":"2026-05-14T15:04:07.341Z","0.1.29":"2026-05-14T15:04:41.222Z","0.1.30":"2026-05-14T16:44:47.712Z","0.1.31":"2026-05-14T19:10:57.330Z","0.1.32":"2026-05-14T19:23:56.365Z"},"bugs":{"url":"https://github.com/lullu57/gh-actions-demo-cache-poisoning/issues"},"license":"MIT","homepage":"https://github.com/lullu57/gh-actions-demo-cache-poisoning","keywords":["demo","security","supply-chain","education"],"repository":{"type":"git","url":"git+https://github.com/lullu57/gh-actions-demo-cache-poisoning.git"},"description":"Educational demo: a deliberately vulnerable npm package showing how GitHub Actions cache poisoning can produce a malicious release without stealing any credential. Do NOT use in production.","maintainers":[{"name":"lullu57","email":"kezitogaleacurmi@gmail.com"}],"readme":"# cache-poisoning-pwn-demo\n\n> **Educational demo, do NOT use in production.** Installing this package opens Calculator (or the platform equivalent) on the consumer's machine. That's the point — it's a real supply-chain attack against an npm package built with GitHub Actions, end-to-end on real infrastructure.\n>\n> Published to npm: [`cache-poisoning-pwn-demo`](https://www.npmjs.com/package/cache-poisoning-pwn-demo) · Flagship demo in the [series](https://github.com/lullu57/gh-actions-supply-chain-demo#the-nine-patterns).\n\nA faithfully-reproducible cache-poisoning attack modeled on the [May 2026 TanStack npm compromise](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem). The package is real, on public npm, and the attack chain runs end-to-end through real GitHub Actions and real npm OIDC trusted publishing.\n\n**No credential is stolen. No maintainer is compromised.** A stranger's pull request — closed without merging — causes the maintainer's *own* CI to publish a malicious release on the next innocent push to `main`. The published version carries a correctly-issued **npm provenance attestation**, because the attack works inside the trusted workflow, not against its keys.\n\nThis is the orchestrator's [GitHub Actions cache seam](https://github.com/lullu57/gh-actions-supply-chain-demo#the-platform-model-behind-the-analogy): caches are shared across triggers, fork PRs can plant entries that a later release restores, and cache writes ignore `permissions: contents: read`. The same kitchen analogy as the orchestrator's [shared spice rack](https://github.com/lullu57/gh-actions-supply-chain-demo#wrong-assumption-1--only-the-chef-touches-the-key).\n\n## Why this repo exists\n\nReading the TanStack postmortem communicates the *shape* of the attack; running this demo communicates the *speed* and the *invisibility*. Audiences who watch a malicious version appear on the npm UI seconds after an innocuous `git push` rarely forget the demo. It also doubles as a hardening reference: every link in the unsafe chain has a paired safe alternative in [`fix/`](fix/README.md), and every \"bad practice\" has an empathy note in [`why/README.md`](why/README.md).\n\n## If you found this organically (via npm or search)\n\nThe package on npm is real. Installing it triggers the educational payload — it opens Calculator and prints a marker. It does not exfiltrate, persist, or do anything else. It is not a typosquat; the name is intentionally demo-flagged. If you maintain an npm package built with Actions, [`fix/README.md`](fix/README.md) has the three workflow changes that make this attack class structurally impossible. If you consume npm packages in CI, set `npm config set min-release-age 7` (see [below](#consumer-side-mitigation)).\n\n## The attack in one diagram \n\n```\nAttacker fork PR (or any same-repo branch from a write-access account)\n    │\n    ▼\n.github/workflows/vulnerable-bundle-size.yml\n    │  triggers on pull_request_target → runs in BASE repo trust context\n    │  checks out PR HEAD; npm install fires attacker's prepare hook\n    │  caches node_modules — INCLUDING the poisoned is-number/index.js\n    ▼\n[ shared GitHub Actions cache key: nm-<hash-of-package-lock.json> ]\n    │  cache persists even after the PR is closed\n    ▼\nAny future push to main (a typo fix, a Dependabot bump, anything)\n    │\n    ▼\n.github/workflows/vulnerable-release.yml\n    │  restores the poisoned cache; builds; bundles poisoned is-number into dist/postinstall.js\n    │  mints OIDC token; publishes v0.1.N with provenance attestation\n    ▼\nnpm registry: cache-poisoning-pwn-demo@0.1.N is now MALICIOUS\n    │\n    ▼\nAnyone running `npm install cache-poisoning-pwn-demo`\n    → postinstall executes → calculator opens → \"[supply-chain-demo] supply-chain attack PoC triggered.\"\n```\n\nThe four stages map to what the audience sees:\n\n| Stage | What happens | Audience-visible |\n|-------|--------------|------------------|\n| Baseline | v0.1.0 published cleanly by the maintainer | `npm install` prints \"thanks for installing\" |\n| Attack | Fork PR fires `pull_request_target`, plants payload into `node_modules/is-number`, cache poisoned, PR closed | Innocuous-looking workflow log on the PR |\n| Detonation | Maintainer pushes any change to `main`; release workflow restores cache, builds, publishes v0.1.1 | New version on npm with provenance |\n| Pwn | Audience runs `npm install` | Calculator opens on every audience machine |\n\n## File tour\n\n| Path | What it is |\n|------|------------|\n| [`package.json`](package.json), [`src/`](src/), [`scripts/build.js`](scripts/build.js) | A real, tiny npm package wrapping `is-number`. esbuild bundles `node_modules` into `dist/`. |\n| [`.github/workflows/vulnerable-bundle-size.yml`](.github/workflows/vulnerable-bundle-size.yml) | `pull_request_target` workflow that writes the poisoned cache |\n| [`.github/workflows/vulnerable-release.yml`](.github/workflows/vulnerable-release.yml) | `push: main` workflow that restores the cache, builds, publishes to public npm via OIDC |\n| [`.github/workflows/safe-*.yml`](.github/workflows/) | Fixed versions |\n| [`attack/README.md`](attack/README.md) | Full attacker walkthrough |\n| [`attack/fork-changes/`](attack/fork-changes/) | The exact files the attacker commits; `apply-attack.sh` scaffolds a fork in one command |\n| [`attack/simulate-attack.js`](attack/simulate-attack.js) | Local-only simulation (no GitHub, no npm) — opens Calculator on the demoer's machine |\n| [`SETUP.md`](SETUP.md) | One-time setup (npm account, package name, OIDC trusted publisher, repo push) |\n| [`DEMO-SCRIPT.md`](DEMO-SCRIPT.md) | Live demo timing (~6 min), what to click, what to say |\n| [`fix/README.md`](fix/README.md) | Line-by-line explanation of the fix |\n| [`why/README.md`](why/README.md) | Why the unsafe pattern exists |\n\n## Quick start\n\nThree paths, fastest to most dramatic:\n\n**Path A — local only, ~30 seconds.** `npm install && node attack/simulate-attack.js`. Calculator opens. Useful for proving the chain works before staging the live version.\n\n**Path B — staged live (recommended).** Follow [`SETUP.md`](SETUP.md) once. Pre-stage Acts 1–3 of [`DEMO-SCRIPT.md`](DEMO-SCRIPT.md) so v0.1.1 is already on npm. During the demo, do Acts 4–5 — audience installs and gets pwned, then reveal.\n\n**Path C — fully live, ~6 min.** Follow [`DEMO-SCRIPT.md`](DEMO-SCRIPT.md) end-to-end with the audience watching the attack PR open, the cache poison, the release publish, and the install.\n\n## What ends up on npm\n\n```\nnode_modules/is-number/index.js   ← attacker plants payload here via fork PR\n              ↓ esbuild\ndist/postinstall.js               ← bundled output; shipped in package files\n              ↓ npm install <pkg>\n       postinstall hook runs\n              ↓\n  child_process.exec('open -a Calculator')\n```\n\nA clean `node_modules` produces a `dist/postinstall.js` that prints \"thanks for installing\". A poisoned `node_modules` produces one that *also* opens Calculator. **The maintainer's source code does not change.** Only the bundle changes — because its inputs were tampered with.\n\n## Why this is hard to detect\n\nA maintainer-side audit shows nothing: no malicious commits on main, the release commit is a release-bot's `npm version patch`, and the published version has GitHub-attested provenance pointing to a real, clean commit. The malicious PR was closed and may not even appear in the repo's main UI — the poisoning step ran in a workflow log archived under the closed PR. The cached diff looks innocuous: a new `scripts/dev-hook.js` with a \"pre-warm the build cache\" comment, a one-character prepare-hook tweak, a README typo fix in the same PR for reviewer focus. And npm provenance signed it: the attestation is *correct* — it accurately states which workflow built which commit. The workflow just happened to bundle attacker-poisoned cache contents.\n\n## What the fix changes\n\nThree independent changes, each closing one link:\n\n1. `pull_request_target` → `pull_request`. Fork PRs no longer run in base trust context.\n2. Scope cache keys with `${{ github.event_name }}` (or use separate workflows). PR and release runs can't share caches.\n3. `npm ci --ignore-scripts` + split build/publish jobs. Even a compromised dep can't reach `id-token: write`.\n\nDetails in [`fix/README.md`](fix/README.md).\n\n## Consumer-side mitigation\n\nThe single most-effective defense from the consumer side is refusing to install package versions that were published very recently. npm 10+ supports this natively:\n\n```bash\nnpm config set min-release-age 7    # 7 days\n```\n\nA malicious version published via this chain then has 7 days to be detected and unpublished before any consumer's CI installs it. Combine with `npm audit` / `osv-scanner` in CI and most known-compromise scenarios get caught cleanly.\n\nTo install **this demo package** despite the setting, append `--min-release-age=0` to the install command — a per-invocation override that doesn't touch your default config.\n\n## How the demo publishes without a token\n\nThe release workflow uses npm **OIDC trusted publishing** — no `NPM_TOKEN` exists anywhere. GitHub Actions mints a short-lived JWT, npm verifies it against the package's trusted-publisher config, `npm publish` succeeds, and Sigstore signs the provenance attestation. This is the modern recommended pattern, used by major OSS projects. The demo's point is that this modernization does *not* save you from cache poisoning — if attacker bytes reach the publish job's `dist/`, they get the registry's blessing for free.\n\n## Cleanup\n\n```bash\nnpm unpublish <your-package>@0.1.1     # within 72h, or any time if no dependents\nnpm unpublish <your-package> --force    # nuclear option\ngit restore . && rm -rf node_modules dist && npm install\n```\n\n\n## References\n\n- [TanStack postmortem](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem) and [followup](https://tanstack.com/blog/incident-followup)\n- [GitHub Security Lab — preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n- [npm trusted publishing docs](https://docs.npmjs.com/trusted-publishers)\n","readmeFilename":"README.md"}