Supply-chain threat intelligence
Risk score
92
Indexed incident for rallycoding (npm).
package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On npm install, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.
Affected versions
Indicators
Timeline