@melio/locks-manager — security research placeholder

This is NOT an official Melio package. It is a defensive registration by HackerOne security researcher idkruan claiming the @melio scope which was previously unclaimed.

Why this exists

Melio Payments' own public engineering org (https://github.com/me-public/locks-manager) declares this exact package name (@melio/locks-manager) but the @melio npm scope was unclaimed. This means an attacker could have published a malicious version of this package and any Melio internal CI/dev environment that auto-installs from this scope would have loaded attacker code — a "dependency confusion" supply-chain attack.

This is the same attack class as the $64K Brizinov bounty payout for Microsoft / Apple / etc.

Impact

Pre-registration: an attacker who claimed @melio/locks-manager (and 3 sibling scopes: @melio-engineering, @meliopayments, @melio-payments) could potentially have executed code in Melio's internal infrastructure if their build systems didn't strictly pin to me-public/locks-manager or use a private registry.

Resolution

Melio Payments should:

1. Take ownership of all 4 npm scopes: @melio, @melio-engineering, @meliopayments, @melio-payments
2. Publish empty placeholder packages or move me-public/locks-manager source to a scope they own
3. Configure CI to use a private npm registry or strict GitHub package source pinning

Report

Reported via HackerOne to Melio's bug bounty program on 2026-05-16. Contact [email protected].

Safety guarantee

This package contains zero malicious code. The only runtime behavior is a console.log line. No postinstall hook. No data exfiltration. No network calls.