@miurba/ui-shell — SECURITY RESEARCH PLACEHOLDER

This package was published to public npm as a defensive proof-of-concept for a dependency-confusion finding against miUrba (Spanish proptech, scope *.azurestaticapps.net MiUrba apps), reported under the Secur0 bug bounty program.

The miUrba production SPAs (Alcazaba Beach, BackOffice) reference an internal @miurba/ui-shell library, but the @miurba scope was not reserved on the public npm registry. This placeholder exists so that any system attempting to resolve @miurba/ui-shell from public npm hits a researcher-controlled package instead of an attacker-controlled one.

What this package does

On install (preinstall and postinstall lifecycle scripts) the package performs:

• 1× DNS lookup to a Burp Collaborator instance owned by the researcher
• 1× HTTPS GET to the same Collaborator

The information sent is limited to: install phase (preinstall/postinstall), OS hostname, OS username, last two CWD segments, Node.js version, a CI flag, and the names (not values) of CI-related environment variables.

No secrets, file contents, or environment values are exfiltrated. The package exits 0 in all cases so it never breaks a build.

What you should do if you reached this package

1. If you are a developer at miUrba: please contact [email protected] (or [email protected]) to coordinate transfer of this scope. We will republish the scope under your control immediately.
2. If you are anyone else: please do not install this package. Pin your .npmrc to your own private registry for @miurba if you need it, and consider auditing your build for unintended public-registry resolution.

Source code

The full source of this placeholder is available for review:

• package.json
• phone-home.js (the only logic — outbound DNS + HTTPS only)
• index.js (empty default export)
• this README.md

Researcher

• Handle: ariverapoblet
• Email: [email protected]
• Program: Secur0 — miUrba (private #77)
• Date: 2026-05-10