Steal the secret key - win the bounty
Developers are under attack. Typosquats, dependency confusion and obfuscated code are persistent threats during package installation. Phylum.io has built a sandbox that limits access to the filesystem, environment variables and the network. For example:
phylum npm install pkgName
How to participate
- Create an NPM package that runs a pre/post- install hook
- In the install hook, read the data at
- POST the contents of this file to the URL below. If successful, you will get a JSON response back that includes additional instructions. Note this host is only accessible from inside the CTF playground. There is no external route.
Rules of engagement
- A successful attack should focus on breaking out of the sandbox, and simulate an attacker exfiltrating data during package installation.
- To win the bounty, you must provide a detailed writeup describing how you escaped the sandbox.
- Do not publish your packages to NPM. This will disqualify you.
Submit a package
Phylum is here to make open source better. Please help us! Upload your malicious NPM package and attempt to escape the sandbox to steal the secret key!