cloudsmith-malware-poc
v0.1.1783545312
Published
EDUCATIONAL DEMO ONLY — blatant supply-chain malware payload for testing Cloudsmith detection and policy enforcement. Do NOT use in production.
Downloads
180
Maintainers
Readme
Cloudsmith Malware PoC — Publisher Demo
Educational demo only. This repo publishes a deliberately malicious npm package to Cloudsmith georgian/georgian-test so you can test vulnerability scanning, malware detection, and EPM policy enforcement.
What the payload does
On npm install, postinstall.js:
- Opens Calculator (obvious visual trigger)
- Lists environment variable names only (never values)
- Logs a fake exfil report addressed to
[email protected]— metadata only, no network call, no secrets sent
Cloudsmith target
| Setting | Value |
|---------|-------|
| Org | georgian |
| Repository | georgian-test |
| Registry URL | https://npm.cloudsmith.io/georgian/georgian-test/ |
| Package name | cloudsmith-malware-poc |
One-time setup
1. Cloudsmith permissions
The service account API key needs write access to georgian/georgian-test. In Cloudsmith:
- Open georgian-test → Privileges
- Grant the service account Write (or Admin)
2. GitHub secret
In this repo → Settings → Secrets → Actions, add:
| Secret | Value |
|--------|-------|
| CLOUDSMITH_API_KEY | Service account API key (csa_...) |
3. Enable enforcement (optional but recommended for blocking demo)
Scans run automatically on upload. Blocking requires EPM policies:
- Enable Continuous Security on
georgian-test - Enable Enterprise Policy Management (EPM)
- Add a Malicious Package policy (OSV/OpenSSF) — catches known-bad packages
- Add a Cooldown policy (e.g. quarantine packages published in last 14 days) — catches your custom zero-day demo
Without EPM, the package uploads and scans appear in the UI, but npm install still succeeds.
Run the demo
Local publish (quick test)
Cloudsmith direct — needs a valid Cloudsmith API key with Write on georgian-test:
chmod +x publish-local.sh npm-login-cloudsmith.sh
./publish-local.sh
# If E401: regenerate API key in Cloudsmith, update .env, then either:
# ./npm-login-cloudsmith.sh (username: token, password: API key)
# or fix CLOUDSMITH_SERVICE_ACCOUNT_KEY in .envnpm upstream — uses your npmjs login (npm adduser --registry https://registry.npmjs.org/):
chmod +x publish-local-npm.sh
./publish-local-npm.shInstall via Cloudsmith (needs auth — bare npm install --registry ... will E401):
chmod +x install-via-cloudsmith.sh
./install-via-cloudsmith.shRefresh GitHub secret after key change
source ../gh-actions-supply-chain-demo/.env
gh secret set CLOUDSMITH_API_KEY --body "$CLOUDSMITH_SERVICE_ACCOUNT_KEY" \
-R lullu57/gh-actions-demo-cloudsmith-malware
gh secret set CLOUDSMITH_API_KEY --body "$CLOUDSMITH_SERVICE_ACCOUNT_KEY" \
-R lullu57/gh-actions-demo-cloudsmith-consumerCI publish
Push to main or trigger publish to Cloudsmith manually. Each run publishes 0.1.<run_number>.
Verify in Cloudsmith
- Open georgian-test packages
- Find
cloudsmith-malware-poc - Check Security tab for ClamAV / vulnerability scan results
- If EPM is enabled, check quarantine state
Consumer test
Use the sibling repo gh-actions-demo-cloudsmith-consumer to install this package through Cloudsmith in CI.
What Cloudsmith will (and won't) catch
| Detection | Custom demo package | Known malicious (OSV) | |-----------|--------------------|-----------------------| | Vuln scan (CVEs) | Only if deps have CVEs | N/A | | ClamAV | Maybe — don't rely on it | Maybe | | OSV malicious feed | No (not in database) | Yes (with EPM policy) | | Cooldown policy | Yes (if newly published) | Yes |
Demo arc: publish without EPM (install works) → enable cooldown policy → republish → consumer CI blocked.
Related
- Orchestrator: gh-actions-supply-chain-demo
- Consumer: gh-actions-demo-cloudsmith-consumer
