Summary

this package is used to check your (companys) artifactory against npm dependency confusion, also known as shadowing attacks. The package itself has no functional code and is only used to check where the artifactory downloads this npm package.

Configuration and tests with jFrog artifactory

Upload this package to your company npm artifactory with a LOWER version than 1.0.1.

configure a virtual-npm artifactory which consists of both package sources, the internal npm and npmjs.org

make sure you set priority to your internal package repository

from your working machine you do a npm install npm-shadowing-attack (make sure you have the virtual npm artifactory as source defined.)

if you get the 1.0.1 version of the public repository your company is vulnerable to dependency confusion attacks.

Details see: https://jfrog.com/blog/going-beyond-exclude-patterns-safe-repositories-with-priority-resolution/