Demo package for Shoulder security scanning - contains suspicious patterns for testing only
> WARNING: This is a DEMO package for security testing purposes.
This package contains code patterns commonly found in malicious npm packages, but all dangerous functionality is disabled. It's used for testing and demonstrating Shoulder security scanning capabilities.
When scanned, this package will trigger alerts for:
- Install Scripts: Has preinstall and postinstall hooks
- Network Access: Contains code that would make HTTP requests
- Shell Execution: Contains child_process.exec and spawn calls
- Filesystem Access: Contains code targeting sensitive files (~/.ssh, ~/.aws, etc.)
- Environment Harvesting: Accesses sensitive environment variables
- Dynamic Evaluation: Contains eval() patterns
- Obfuscated Code: Contains obfuscated-looking variable names
This package is completely safe to install. All "malicious" code paths are:
- Commented out
- Only log to console
- Never actually execute
``bashTo test Shoulder scanning:
npm install @shoulderdev/malware-demo
Security tools need test cases. This package provides a safe way to verify that security scanners correctly identify suspicious patterns without risking actual harm.
Shoulder Security - Supply chain security for npm.
MIT