{"_id":"vybscan-testbed-obfuscated-postinstall","_rev":"2-68f08d113b87d5cfde82409cc608460a","name":"vybscan-testbed-obfuscated-postinstall","dist-tags":{"latest":"1.0.0"},"versions":{"1.0.0":{"name":"vybscan-testbed-obfuscated-postinstall","version":"1.0.0","author":{"url":"github.com/vybscan-testbed","name":"Vybscan Testbed"},"license":"MIT","_id":"vybscan-testbed-obfuscated-postinstall@1.0.0","maintainers":[{"name":"naveendheemai","email":"naveen@dheemai.com"}],"homepage":"https://github.com/vybscan-testbed/recall-sca-postinstall#readme","bugs":{"url":"https://github.com/vybscan-testbed/recall-sca-postinstall/issues"},"dist":{"shasum":"629d69baaed842267da106391d575ff9d9b6b35c","tarball":"https://registry.npmjs.org/vybscan-testbed-obfuscated-postinstall/-/vybscan-testbed-obfuscated-postinstall-1.0.0.tgz","fileCount":2,"integrity":"sha512-Of1fGg5e57RkE/xeBA0mkuI0puH/hYus80pMUjbhl0GmB9UnuPtXEUFSeIfOyfg/mpWZLmekUu5F24a0gH/nnw==","signatures":[{"sig":"MEYCIQCmEiat4rP2CSHu+/FwpfZOOlFbNj4VWUStAA6TOIueWAIhAKxHwnc/cuYygmKFK9hcwdtoBsgcv/E9KZcj9Bz6tPnK","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":3855},"private":false,"scripts":{"postinstall":"node -e \"eval(Buffer.from('Y29uc29sZS5sb2coJ1t2eWJzY2FuLXRlc3RiZWRdIGluZXJ0IGRlY29kZWQgcGF5bG9hZCDigJQgbm8gYWN0aW9uIHRha2VuJyk7','base64').toString())\""},"_npmUser":{"name":"naveendheemai","email":"naveen@dheemai.com"},"repository":{"url":"git+https://github.com/vybscan-testbed/recall-sca-postinstall.git","type":"git"},"_npmVersion":"11.6.2","description":"INERT SECURITY-RESEARCH TEST FIXTURE — do not install. Part of the Vybscan testbed accuracy benchmark (github.com/vybscan-testbed). This package's postinstall script base64-decodes a string and eval()s it — the textbook obfuscated-install-time-payload pat","directories":{},"_nodeVersion":"24.11.1","_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/vybscan-testbed-obfuscated-postinstall_1.0.0_1783164469139_0.9235292565148194","host":"s3://npm-registry-packages-npm-production"},"deprecated":"Inert security-research test fixture — do not install. See README."}},"time":{"created":"2026-07-04T11:27:49.076Z","modified":"2026-07-04T11:30:05.204Z","1.0.0":"2026-07-04T11:27:49.264Z"},"bugs":{"url":"https://github.com/vybscan-testbed/recall-sca-postinstall/issues"},"author":{"url":"github.com/vybscan-testbed","name":"Vybscan Testbed"},"license":"MIT","homepage":"https://github.com/vybscan-testbed/recall-sca-postinstall#readme","repository":{"url":"git+https://github.com/vybscan-testbed/recall-sca-postinstall.git","type":"git"},"description":"INERT SECURITY-RESEARCH TEST FIXTURE — do not install. Part of the Vybscan testbed accuracy benchmark (github.com/vybscan-testbed). This package's postinstall script base64-decodes a string and eval()s it — the textbook obfuscated-install-time-payload pat","maintainers":[{"name":"naveendheemai","email":"naveen@dheemai.com"}],"readme":"# vybscan-testbed-obfuscated-postinstall\n\n**This is an inert security-research test fixture. Do not install or depend on this package.**\n\nIt exists so that [Vybscan](https://github.com/vybscan-testbed)'s supply-chain scanner\n(`step3ClaudeAnalysis` — install-time behavioral analysis) has a real, live, published npm\npackage to score its **recall** against: a postinstall script matching the obfuscated-payload\nattack pattern, in a form that requires no live external target to be genuinely unambiguous.\n\n## The postinstall script\n\n```js\nnode -e \"eval(Buffer.from('Y29uc29sZS5sb2coJ1t2eWJzY2FuLXRlc3RiZWRdIGluZXJ0IGRlY29kZWQgcGF5bG9hZCDigJQgbm8gYWN0aW9uIHRha2VuJyk7','base64').toString())\"\n```\n\nDecoded, the base64 blob is:\n\n```js\nconsole.log('[vybscan-testbed] inert decoded payload — no action taken');\n```\n\n## Why this is a cleaner recall case than a network-based one\n\nAn earlier design for this same benchmark pointed a \"download and exec\" pattern at\n`example.com` (IANA's reserved documentation domain) — but that created a real ambiguity: a\nsophisticated reviewer (or an LLM) could reasonably recognize the well-known placeholder domain\nand conclude *\"this has the shape of an attack but no achievable intent — a network capability\nalone isn't malicious\"* and correctly stay silent. That's actually the right call per Vybscan's\nown detection philosophy (see `precision-sca`'s sibling fixture,\n`vybscan-testbed-inert-postinstall`, which tests exactly that \"capability without intent\"\ndistinction).\n\n**Base64-decode-then-`eval`** doesn't have that ambiguity. There is no live destination to judge\nas \"safe\" or \"credible\" — the suspicious signal is the *structure itself* (an obfuscated payload\nthat only reveals its true content at install time), which has no legitimate use in a real\npackage regardless of what the payload turns out to be. This mirrors how a planted\n`eval(req.query.expr)` in the SAST benchmark repos (`recall-sast-js`) is a real vulnerability\nindependent of what an actual attacker would eventually pass — the pattern itself is the\nfinding, not a specific outcome. Here, the decoded content happens to be inert (a harmless\n`console.log`), but the obfuscate-then-execute structure is unambiguous either way.\n\n## What this is for\n\nPart of the [Vybscan testbed](https://github.com/vybscan-testbed) — a precision/recall\nbenchmark for the Vybscan security scanner. See `recall-sca-postinstall`'s `ANSWERS.yml` for the\nground-truth label this package's `postinstall` script is expected to receive: **flagged as\nsuspicious** (obfuscated install-time payload).\n\nQuestions / concerns about this package: open an issue at\n[github.com/vybscan-testbed](https://github.com/vybscan-testbed).\n","readmeFilename":"README.md"}