Affected script: "install-scripts:postinstall"
The script executes a significant security vulnerability. It does this by using exec()
to execute shell commands. The exec()
function can execute any command in the system shell, making it a potential exposure point for command injection. If an attacker has control over the process.env.npm_config_features
environment variable, they might insert malicious injectable code.
Likewise, the script downloads and executes a script from the internet directly (https://sh.rustup.rs
) without any validation or verification of the content it fetched. This is another point of security concern as it can easily be preyed upon by man-in-the-middle attacks and can lead to harmful actions.
wasm-grate
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|