Purrlock Cafe

Viewing the commit history, we noticed a mention regarding security incident.

Viewing the activity, we found a force push request.

Looking at the initial commit, we found a google cloud service account key.

The servuce account name is npm-reader. Looking at the package-lock.json, theres a reference to artifact registry.

Following the artifact regsitry documentation, we are able to authenticate and pull the packages.

Configure authentication to Artifact Registry for npm  |  Artifact Registry documentation  |  Google CloudGoogle Cloud

Looking at the postinstall.js of the secrets menu, we see a reference to a secrets in google cloud secrets manager, as well as a base64 encoded service account.

We are then able to authenticate and retrieve the flag.