Affected script: "install-scripts:install"
The code is suspicious because it downloads and extracts a binary from the internet without verifying its authenticity. The fetch
function retrieves a .tar.gz archive from a hardcoded URL based on the version and package platform, and then the execSync
function extracts the contents of that archive into the parent directory of the script. If the URL or the server hosting the files were compromised, this could lead to arbitrary code execution on the system where the script is run. Additionally, downloaded executables could be malicious if the URL points to a compromised version or if an attacker intercepts the request (Man-in-the-Middle attack). There is no cryptographic signature verification to ensure the integrity and authenticity of the downloaded binary, which further increases the risk of introducing malware into the system.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |