npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@goriv/eux

v0.999.999

Published

Security research PoC for Intigriti BBP (Rivian program). The @rivian npm scope is trademark-protected (npm form returns 'not available'), but @goriv was claimable despite goriv.co being Rivian's internal infrastructure TLD (e.g. user-mgmt.dc.goriv.co). D

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

mickpahpahmickpahpah

Keywords

securityresearchpocintigritibbp

Readme

@rivian/eux — security research PoC

This package is a proof-of-concept for a dependency confusion finding submitted to Rivian via the Intigriti bug-bounty program.

Why this exists

Rivian's production bundle at legacy.basecamp.rivian.com/remoteEntry.js references the package name @rivian/eux. The @rivian scope on the public npm registry is unclaimed (404). An attacker who claims the scope and publishes a package at any version higher than the internal 0.112.1-hotfix.1 will be silently preferred by any build pipeline whose .npmrc does not pin @rivian to Rivian's private registry.

Initial Intigriti report 2026-05-02 was marked Informative on 2026-05-04 with the explicit invitation: "If you can claim the package and provide evidence of interactions from Rivian-owned systems, please open a new report."

This package is the response to that invitation.

What this package does

The postinstall script performs a single DNS lookup to a unique callback subdomain so the researcher can correlate which install sites fetched the package. The encoded subdomain contains hostname, platform and timestamp, nothing else.

It does not:

  • Make HTTP requests
  • Read or write files
  • Spawn child processes
  • Read environment variables or credentials
  • Persist anything on disk
  • Download or execute any second-stage payload

The full source is postinstall.js (~25 lines).

After evidence collection

This package will be:

  1. Unpublished (npm unpublish --force @rivian/eux) once Rivian confirms they will register the @rivian org themselves, OR
  2. Transferred to Rivian's npm org if they prefer to take it over.

Contact

Recommendation to Rivian

Register the @rivian org on npm (free tier sufficient) and publish placeholder packages for at least:

@rivian/eux, @rivian/dt-lib-lumberjack, @rivian/legacy, @rivian/ui, @rivian/shell, @rivian/components, @rivian/utils, @rivian/auth, @rivian/api.

Then pin @rivian to your private registry in every .npmrc across CI runners, developer workstations and monorepos.