npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@rivianlabs/dt-shop-bag-v0

v0.0.3

Published

Security research placeholder published as part of authorized Rivian Bug Bounty disclosure (Intigriti report RIVIAN-79L374RT). Triager Aurelius explicitly invited this claim. Intended for transfer to Rivian Inc. Contact: [email protected]

Downloads

1,148

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mickpahpahmickpahpah

Keywords

security-researchintigritirivian-bug-bountydependency-confusion-defensedo-not-use

Readme

@rivian/bedrock — Security Research Placeholder

This is not an official Rivian package. It is a security research disclosure placeholder published by an Intigriti bug bounty researcher under explicit triager invitation.

Why this package exists

The Rivian production web bundles served from business.rivian.com and www.rivian.com reference the package import name @rivian/bedrock. The @rivian scope was unclaimed on the public npm registry as of 2026-05-04, meaning any third party could publish arbitrary code under that name and have it installed by Rivian CI/build pipelines that resolve dependencies from the default public registry.

This placeholder claims the name with a DNS-only, non-intrusive payload and an explicit transfer-to-vendor commitment. Full report:

What the package does

On npm install @rivian/bedrock, a single preinstall script runs beacon.js. That script performs one DNS resolution to a researcher-owned Project Discovery interactsh subdomain. It does not:

  • read any file
  • read any environment variable
  • send anything over HTTP
  • persist anything to disk
  • modify the installer's project

It only confirms the package was installed somewhere, so the researcher can demonstrate to Rivian's security team that dependency confusion is exploitable on Rivian infrastructure.

Transfer commitment

The maintainer of this package will transfer the @rivian scope and all packages published under it to Rivian Inc. on first request from a verifiable Rivian security contact ([email protected] or via Intigriti).

Defensive remediation (for Rivian)

  1. Claim the @rivian scope on public npm (https://www.npmjs.com/org/create).
  2. Publish defensive placeholder versions of every package name referenced in any Rivian production bundle.
  3. Set strict registry routing in every Rivian project's .npmrc:
    @rivian:registry=https://<your-internal-registry>/
  4. Enforce --frozen-lockfile in CI.
  5. Audit and claim the variants: @rivian-corp, @rivianev, @rivian-engineering, @rivian-internal, @rivian-com, @drive-tech, @drivetech, @dt-rivian, @dc-rivian, @ridg, @ridb, @rivianlabs, @rivianai. All were unclaimed at disclosure time.

License

Unlicense — placeholder only, no usable code.