Affected script: "install-scripts:install"
The script downloads and executes a binary from the internet without any form of integrity checking or cryptographic signature verification. It leverages execSync
to run shell commands that could be influenced by the content of the downloaded package (if tampered with) and writes files to the filesystem with potentially elevated privileges or modifies existing binaries. This could lead to arbitrary code execution if the package source is compromised or if an attacker intercepts the download (Man-in-the-Middle attack).
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |